Started at 16:47:53PM UTC, Feb. 27, 2021, the Furucombo protocol contract was exploited to result in more than $14M loss. The incident was due to a flaw of inappropriate trust in the protocol, which is exploited to cascadingly misuse the allowed spending of this protocol on its users. In this blog post, we elaborate the technical details of the issue.

Image for post
Image for post

Summary

This incident was due to a flawed logic in trusting a remote entity that has been previously whitelisted. However, the remote entity supports a logic that makes use of the delegatecall feature to invoke user-provided (untrusted) code. As a result…


Started at 21:49:07 PM +UTC, Feb. 4, 2021, the yDAI vault contract was exploited to result in about $11M loss. The incident was due to a flaw in allowing for a forced investment into a strategy, i.e., StrategyDAI3pool, which is manipulated to be not profitable at the investment moment. Here we elaborate the technical details of the issue in this blog post.

Image for post
Image for post

Summary

This incident was due to a flawed logic in allowing for forced investment of a non-profitable strategy. The flashloan has been utilized to influence the targeted strategy so that it becomes not profitable at the specific transaction of…


[Disclaimer] This analysis is based on the initial finding by @nomorebear!

Started at 08:08:12 AM +UTC, Dec. 28, 2020, Cover’s Blacksmith contract was exploited to mess up the total amount of COVER tokens in circulation with currently 40+ quintillion COVERs (1 quintillion = 10^18). The incident was due to a business logic bug in the way of calculating the COVER rewards for staking users. It is worthwhile to mention that it seems a white-hat operation and the gains from the exploit are already returned back to the team. In the following, we elaborate the technical details.

Image for post
Image for post

Summary

This incident was due…


Started at 10:24:41 PM +UTC, Dec. 17, 2020, WarpFinance was exploited and drained $~7.8 million of DAI from its vault (WarpVaultSC). The incident was due to a bug in the way of measuring asset price from an AMM-based oracle. It is worthwhile to mention that this attack does not result in immediate profit for the attacker. In the following, we elaborate the technical details.

Image for post
Image for post

Summary

This incident was due to a bug in the protocol that uses the AMM-based oracle, i.e., Uniswap, to measure the asset price. After a flashloan-based price manipulation on Uniswap, the exploitation leads to an un-proportional (borrowed)…


Started at 18:37:24 PM +UTC, Nov-21–2020, Pickle Finance was attacked by exploiting two bugs in the ControllerV4 smart contract. The hack results in draining all invested 19.76M DAIs under the StrategyCmpdDaiV2 management. Here we elaborate the technical details of these two bugs in this blog post.

Image for post
Image for post

Summary

Pickle is a yield-generating YFI-related DeFi protocol on Ethereum that allows users to deposit assets and earn yields. However, it has two bugs in the controller logic: The first one is input validation bug that fails to validate whether a given jar is supported or not; and the second one is arbitrary code execution


Started at 08:26:52 PM +UTC, Nov-17–2020, 88mph was attacked by exploiting a business logic error in the DInterest smart contract. The hack results in maliciously minting approximately $100K worth of MPH tokens. Later, the hacker transferred the funds to the MPH-ETH UniswapV2 pool. With the help of the legendary whitehat, samczsun, the dev team exploited another bug in the MPHMinter contract to drain the Uniswap pool for rescuring existing funds and getting the hacked funds back. Here we elaborate the technical details of these two bugs in this blog post.

Image for post
Image for post

Summary

88mph is a fixed-rate yield-generation protocol on Ethereum that allows…


Started at 00:47:19 AM +UTC, Nov-17–2020, the Origin protocol was attacked by exploiting its flawed handling of the mint logic in its VaultCore smart contract. The hack results in a loss of approximately $7.7M (11,809 ETH and 2,249,821 DAI) from the affected vault. Here we elaborate the technical details in this blog post.

Image for post
Image for post

Summary

This incident was due to a bug in the protocol without (1) validating the transferred-in assets and (2) enforcing reentrancy protection on the mint logic. The exploitation leads to a greatly inflated totalSupply of the rebasing token, i.e., OUSD. The attacker then makes use of the inflation…


In this blog, we analyze a Cheese Bank hack that occurred at 19:22:21 PM +UTC, Nov-6–2020. This hack was discovered while we review evil-will flashloans. This particular hack drains $3.3 million of USDC/USDT/DAI from Cheese Bank by exploiting a bug in its way to measure asset price from an AMM-based oracle. In the following, we elaborate the technical details.

Image for post
Image for post

Summary

Cheese Bank is a decentralized autonomous digital bank on Ethereum that allows investors to manage asset, including lending, fund management, insurance services etc. However, it has a flawed approach in the value measurement of collaterals based on the AMM-based oracle, i.e…


Started at 15:36:30 PM +UTC, Nov-14–2020, Value DeFi was exploited to drain $7.4 million of DAI from its pooled MultiStablesVault. The incident was due to a bug in the way to measure asset price from an AMM-based oracle. The hacker further leaves a message ("do you really know flashloan?") to challenge the team. In the following, we elaborate the technical details.

Image for post
Image for post

Summary

This incident was due to a bug in the protocol that uses the AMM-based oracle, i.e., Curve, to measure the asset price. After a flashloan-based price manipulation on Curve, the exploitation leads to an unproportional 3crv tokens even from…


Started at 11:50:41 AM +UTC, Nov-12–2020, Akropolis was attacked by exploiting its flawed handling of the deposit logic in its SavingsModule smart contract. The hack results in a loss of 2,030,841.0177 DAI from the affected YCurve and sUSD pools in Akropolis. Here we elaborate the technical details in this blog post.

Image for post
Image for post

Summary

This incident was due to a bug in the protocol without (1) validating the supported tokens and (2) enforcing reentrancy protection on the deposit logic. The exploitation leads to a large number of pooltokens minted without being backed by valuable assets. The redemption of these minted pooltokens is then…

PeckShield

A Blockchain Security Company (https://peckshield.com)

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store