Verichains Weekly Security Digest | June 2023 Week 4
In this week’s digest, the DeFi market hemorrhaged over $2,000,000 with Atlantis Loans standing out as the largest exploit.
Price manipulation is still trending as one of the most popular ways to hack DeFi projects.
Last Week’s Incidents
🚨Project: Atlantis Loans
💥Type: Malicious Governance Proposal
💸Loss amount: $1,000,000
In last week million dollars hack, Atlantis Loans was exploited due to a malicious governance proposal. We can break the attack down into 7 steps:
The attacker submitted a malicious proposal: The attacker submitted a proposal that included a call to the _setPendingAdmin method for a list of ABep20Delegator tokens. This method is used to change the admin address of a contract.
Quorum votes requirement: In order for a proposal to be accepted, it typically requires a certain number of votes, known as the quorum votes. In this case, the required quorum votes were set to 130,000.
Attacker's voting power: The attacker had a voting power of 133,005, which exceeds the required quorum votes. This means that the attacker alone could get the proposal accepted with just one vote.
Proposal acceptance: The attacker cast their vote in support of the malicious proposal, which resulted in it being accepted. Since the attacker's voting power was sufficient, no additional votes were needed.
Proposal execution timelock: After the proposal was accepted, it was placed in a queue and had to wait for a certain duration before it could be executed. This duration is known as the proposal eta or timelock duration.
Setting the new implementation: Once the timelock duration elapsed, the proposal was executed. As part of the execution, the attacker set a new implementation for the ABep20Delegator contracts. This new implementation pointed to the attacker's malicious backdoor contract.
Exploiting the backdoor contract: By calling the 0x0b51d19e method implemented in the backdoor contract, the attacker was able to exploit the vulnerability and steal all the underlying tokens held in the ABep20Delegator contracts.
🚨Project: Sturdy Finance
💥Type: Reentrancy with Price Manipulation
💸Loss amount: ~$850,000
In another sizable exploit, Sturdy Finance lost around $850,000. The attacker carried out the attack and employed a read-only reentrancy exploit in Balancer to manipulate the price of B-stETH-STABLE. By executing a series of actions involving flashloans, liquidity addition, collateralization, borrowing, and liquidation.
To break it down:
They obtained 50K wstETH and 60K WETH through flashloans.
Using 1,100 ETH, they added liquidity to a Curve pool and received 1,023 steCRV tokens.
Next, they created a specialized contract for the attack and added the remaining tokens to the B-stETH-STABLE pool, which allowed them to acquire 109,517 B-stETH-STABLE.
By collateralizing and borrowing using the attack contract, they obtained 513 WETH.
During the withdrawal process, they exploited a vulnerability related to reentrancy, which enabled them to settle the collateral in WETH and directly withdraw the previously deposited 1,000 steCRV.
Taking advantage of a flaw in the liquidationCall function, they were able to liquidate the B-stETH-STABLE collateral with a smaller amount of ETH than what was required.
They repeated this sequence of actions multiple times, ultimately resulting in a total profit of 442 ETH.
💥Type: Price Manipulation
💸Loss amount: ~$115,000
A DeFi project called Trust The Trident was hacked for over $100,000. In this scenario, the $SELLC pool contract relies on the on-chain price obtained from the Pancake pair to calculate the rewards for users who contributed liquidity. However, during the attack transaction, the attacker employed a flashloan to manipulate the price within the Pancake platform. By doing so, they were able to obtain a substantial number of $SELLC tokens, which they subsequently transferred into BNB
🚨Project: $DEPUSDT, $LEVUSDC
💥Type: Incorrect Access Control
💸Loss amount: ~$105,000
Last week, $DEPUSDT and $LEVUSDC were exploited for around $105,000 due to an error where the approveToken function was mistakenly declared as a public function instead of an internal one. This allowed an attacker to call the function and approve themselves as spenders for all tokens. They then transferred the tokens to their own wallets, exploiting the vulnerability