Akropolis Incident: Root Cause Analysis

Summary

Details

The Hack Walk-through

The Reentrancy-Based Exploitation on Akropolis

The Deposit Logic

The Vulnerable Deposit Logic in *SavingsModule*
  • Step 1: The attacker calls deposit() with the specified _tokens as the input. This function calculates the token balance before and after the deposit function depositToProtocol(_protocol, _tokens, _dnAmounts). Then it uses the balance change to mint the poolTokens (line 1970). Between the calculation of balance change, the depositToProtocol() function calls the safeTransferFrom() function on the target tokens to perform the actual token transfer (line 2004). However, there is no reentrancy check on the deposit() function and no validity check on the deposited tokens which might be crafted and malicious.
  • Step 2: The attacker re-entered the deposit() function again when its transferFrom() function is called to invoke the hook routine.
  • Step 3: Because of this second time deposit, the pool will mint poolTokens to the attacker since the real DAI assets are transferred into the protocol and changes the balance.
  • Step 4: When this second time deposit completes, it returns back to the first time deposit’s context in depositToProtocol() and then calculates the balance change again! It turns out the balance difference is exactly the same as the second deposit. Therefore, the same amount of poolTokens is minted to the attacker.

The Stolen Funds

About Us

--

--

--

A Blockchain Security Company (https://peckshield.com)

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Brad Cheedle of Otava: 5 Things You Need To Know To Optimize Your Company’s Approach to Data…

{UPDATE} Sugar Store : Design Hack Free Resources Generator

Welcome Back: Security in the New School Year

Crypto-fueled alleviation help for Ukraine

TLS and Mutual TLS

Are Your Windows Computers Up to Date? If Not, You’re in Danger

Essentials Tips to Manage Big Data’s Big Security Challenges

MEXC will List Burency (BUY) in Innovation Zone — Hold BUY to Share 40,000 USDT equivalent of BUY…

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
PeckShield

PeckShield

A Blockchain Security Company (https://peckshield.com)

More from Medium

Crypto Use Case Series: 01- HelpX

Friktion Deep Dive

Referral program Marsbase

DeFiHelper Integrates Chainlink Price Feeds To Help Calculate Transaction Fees Across Five…