In this week’s digest, Verichains released Security Advisory VSA-2022-103, the last of our Tendermint Core / Cosmos SDK series. The DeFi industry hemorrhaged a gargantuan $200 million, with Euler Finance taking the cake for the 2023 largest hack (so far).

Verichains Security Advisory

Concluding Verichains 3-part Security Advisories regarding critical vulnerabilities found on Tendermint Core / Cosmos SDK, we are releasing VSA-2022-103, Forging Membership Proof Vulnerability in ICS-23.

Cosmos released patches that added more validation checks on leaf/inner-node prefix/suffix length when an input Merkle membership proof conforms to the IAVL spec.

However, these checks help mitigate the attack for IAVL and Cosmos-SDK only. It is important to note that other projects relying on ICS-23 might still suffer from this vulnerability.

Case study of affected vendors benefiting from Verichains Security Advisory service, with our help, BNB Chain applied the same fix.

If your project is using ICS-23 please contact us immediately via info@verichains.io to secure your implementation.

Read the full Security Advisory here: https://blog.verichains.io/p/vsa-2022-103-cosmos-sdk-forging-membership.

Last Week’s Incidents

🚨Project: Euler Finance
⛓️Chain: Ethereum
💥Type: Business Logic Flaw
💸Loss amount: $200 million

Now let’s address the elephant in the room, last week proved to be devastating to another DeFi project on the Ethereum blockchain. In what is considered the largest hack of 2023 (so far), Euler Finance was exploited for $200 million.

The protocol has a vulnerability that allows users to create artificial leverage and donate EToken units to the reserve balance of the token they are transacting with without performing any account health check.

As a result, a portion of DToken units remains at the user when their account is liquidated, creating "bad debt." This flaw allows attackers to create an over-leveraged position and liquidate it themselves in the same block, causing a percentage-based discount to be applied that results in the liquidator incurring only the debt that matches the collateral they will acquire.

The end result is an attacker with a significant amount of bad debt and a liquidator with an over-collateralization of their debt.

🚨Project: Poolz Finance
⛓️Chain: BSC, ETH, Polygon
💥Type: Integer Overflow
💸Loss amount: $500,000

Euler was not the only project that got exploited last week, another DeFi platform called Poolz Finance had an arithmetic overflow issue in the getArraySum function, which the attacker was able to drain funds from the Poolz vesting contract, resulting in a theft of half a million dollars. This hack caused a major drop in the value of Poolz, and as of the time of writing, the token is only worth $0.072, a sharp decline from its 2023 ATM of around $5.

🚨Project: Definix
⛓️Chain: BSC
💥Type: Flash Loan Price Manipulation
💸Loss amount: $17,000

Definix, a DeFi investment platform, was targeted by an attacker who took advantage of the platform's low liquidity. The attacker disrupted the asset's price through trades, then used the RebalancePool.rebalance() function to restore the price to its original value. Afterward, the attacker traded again to complete an arbitrage and profit from the exploit.

In their independent report, it is known that although the liquidity pool and rebalance features were functioning correctly, the primary reason for the exploit was the economic aspect of the platform, specifically the low liquidity in the pool. This allowed some users to take advantage of the price difference of the asset through the rebalance function.