Cover Incident: The Unlimited Token-Minting Vulnerability

[Disclaimer] This analysis is based on the initial finding by @nomorebear!

Started at 08:08:12 AM +UTC, Dec. 28, 2020, Cover’s Blacksmith contract was exploited to mess up the total amount of COVER tokens in circulation with currently 40+ quintillion COVERs (1 quintillion = 10^18). The incident was due to a business logic bug in the way of calculating the COVER rewards for staking users. It is worthwhile to mention that it seems a white-hat operation and the gains from the exploit are already returned back to the team. In the following, we elaborate the technical details.

Summary

This incident was due to a business bug in the protocol that mis-calculates the reward amount for staking users. There is no flashloan or price manipulation involved. The consequence of normal staking and unstaking operations will directly result in wrong amount of COVER tokens being minted. Currently, the bug has been exploited to issue more than 40+ quintillion COVERs (1 quintillion = 10¹⁸). The minted tokens are sold off at various DEX platforms and the gains are returned back to the team.

Details

The Unlimited Minting Vulnerability

We started the analysis from the transaction behind one specific staking operation: d721…7a50. This staking operation can be divided into three distinct steps: (1) It firstly updates the pool by computing the COVER rewards minted in the elapsed period with the latest accRewardsPerToken (via updatePool() at line 121); (2) it then claims the miner’s rewards (via _claimCoverRewards() and _claimBonus() at lines 125-126); and (3) it finally records the miner’s status with the staked amount and the associated rewardWriteoff and bonusWriteoff (lines 128-131). For illustration, we show below the related deposit() routine.

The issue comes from the rewardWriteoff mis-calculation in the above third step. Specifically, the current calculation of miner.amount.mul(pool.accRewardsPerToken).div(CAL_MULTIPLIER) (line 130) uses the pool.accRewardsPerToken, which is defined as memory (line 118) and is thus outdated without being updated in updatePool(). Since it is outdated, the resulting rewardWriteoff is smaller than expected. When next time the same staking user claims the rewards, the staking contract, i.e., Blacksmith, mints extra COVER tokens. A crafted input with staked amount can greatly amplify the minted amount. Currently, there are more than 40 quintillion COVERs minted in circulation.

The Funds

Though this incident leads to unlimited minting of COVER tokens, these minted tokens are dumped at various DEX platforms to dramatically lower down the token price. The white-hat behind the attack has already returned the gains of 4,350 ETH back to the team in the following transaction: c2fd…982e.

About Us

PeckShield Inc. is an industry leading blockchain security company with the goal of elevating the security, privacy, and usability of the current blockchain ecosystem. For any business or media inquiries (including the need for smart contract auditing), please contact us at telegram, twitter, or email.