88mph Incident: Root Cause Analysis

Summary

Details

The MPH mint Hack Walk-through

  • Step 1: Deposit stablecoin into the pool by calling the DInterest::deposit() function. With those deposited assets collected, two things happen in the DInterest smart contract. 1) A new depositID is allocated and assigned to the depositor (msg.sender) as an NFT token; 2) The MPHMinter contract mints MPH tokens to the depositor based on the interest rate model.
Figure 1: Deposit Assets
  • Step 2: Fund previous deposits by fundAll(). With the funding stablecoin collected: 1) A new fundingID is allocated and assigned to the funder (msg.sender) as an NFT token; 2) MPH tokens are minted to the funder.
Figure 2: Funding Previous Deposits
  • Step 3: Withdraw the funded deposit in Step 1 with the newly created fundingID Step 2. As shown in Figure 3, the stablecoin are refunded to the depositer and funder. However, the MPHMinter only takes back depositor’s MPH tokens but the funder keeps the MPH tokens with all funding stablecoin returned. This enables the bad actor to mint MPH tokens from nothing. By repeating this 3-step flow, the hacker minted $100K worth of MPH tokens.
Figure 3: Early Withdraw the Funded Deposit

Drain the MPH-ETH UniswapV2 Pool

Figure 4: Rescue Transaction
  • Step 1: Withdraw the MPH in MPH-ETH UniswapV2 pool to govTreasury by calling the MPHMinter::takeBackDepositorReward() (Figure 5). Since there is no restriction on this function, anyone can call this function to send anyone’s MPH token to govTreasury.
Figure 5: takeBackDepositorReward()
  • Step 2: Drain the pool with just a few MPH tokens. Since many of the MPH tokens are transferred to govTreasury, the MPH tokens in Uniswap are very valuable. Therefore, the dev team successfully swap the ether out from the pool with just a few MPH tokens.

Aftermath

About Us

--

--

--

A Blockchain Security Company (https://peckshield.com)

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Fork Liquity BSC Ecosystem- Babel Token Airdrop Campaign

IOI Listed By Huobi Exchange — Win $250,000

AMA Recap| BitWell * PlatON — The B-Side of Data: Privacy and Security

The Best 20 Kevin Mitnick Quotes

United States Sanctions Bitriver, Targets Russia’s Crypto Mining Possible

[$ENDCEX] Team Endpoint

Public Key Algorithms in Cryptography

MONSTERRA x WEBCOIN CAPITAL SPECIAL AIRDROP CAMPAIGN (Till 23 FEB. 2022)

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
PeckShield

PeckShield

A Blockchain Security Company (https://peckshield.com)

More from Medium

2nd Audit Complete

DeFiHelper Integrates Chainlink Price Feeds To Help Calculate Transaction Fees Across Five…

Sister Squad Roadmap

Introducing Cloud Finance