Novax incident - Price Manupilation
Novax, a decentralized finance (DeFi) project on the Binance Smart Chain, suffered an exploit on August 6, 2024, resulting in an estimated loss of approximately $25,000. The incident highlights vulnerabilities in the protocol's oracle and staking mechanisms, emphasizing the need for more robust security measures in DeFi projects.
Overview
Attacker:
https://bscscan.com/address/0x81ca56b6973ff63e3ff2b3f99cb6a6d211269e79
Vulnerable Contract:
https://bscscan.com/address/0x55c9eebd368873494c7d06a4900e8f5674b11bd2
Transaction attack: https://bscscan.com/tx/0xb1ad1188d620746e2e64785307a7aacf2e8dbda4a33061a4f2fbc9721048e012
Exploit Analysis
The attack was straightforward: the attacker used a flash loan to borrow USDT from the USDT-BUSD pair, purchased NovaX tokens, staked half of the NovaX balance, sold the other half, and then withdrew the funds.
The contract allowed immediate staking and withdrawal of NovaX tokens, exploiting price manipulation. We examined the staking and withdrawal logic:
The stake logic records the number of NovaX tokens staked, referencing the price provided by the Oracle.
However, the Oracle calculates the price based on the reserves of tokens in the pair, dividing the amounts of Token A by Token B, making it easy to manipulate with a flash loan.
Similarly, the withdraw function calculates the number of tokens to be received based on the real-time price from the Oracle. This allows an attacker to easily control the output and receive a large number of tokens.
The root cause of these vulnerabilities is that both the stake and withdraw functions calculate the value of token amounts based on an unreliable Oracle.
Lesson learned
This incident underscores the critical importance of robust price oracle mechanisms in DeFi. Relying on oracles prone to manipulation, especially via flash loans, introduces severe vulnerabilities. To enhance security, explore decentralized oracle networks, implement circuit breakers and time delays, and ensure comprehensive testing and audits. These measures will bolster the resilience of DeFi projects, safeguarding user assets and upholding trust in the ecosystem.