Cover Incident: The Unlimited Token-Minting Vulnerability

Summary

This incident was due to a business bug in the protocol that mis-calculates the reward amount for staking users. There is no flashloan or price manipulation involved. The consequence of normal staking and unstaking operations will directly result in wrong amount of COVER tokens being minted. Currently, the bug has been exploited to issue more than 40+ quintillion COVERs (1 quintillion = 10¹⁸). The minted tokens are sold off at various DEX platforms and the gains are returned back to the team.

Details

The Unlimited Minting Vulnerability

We started the analysis from the transaction behind one specific staking operation: d721…7a50. This staking operation can be divided into three distinct steps: (1) It firstly updates the pool by computing the COVER rewards minted in the elapsed period with the latest accRewardsPerToken (via updatePool() at line 121); (2) it then claims the miner’s rewards (via _claimCoverRewards() and _claimBonus() at lines 125-126); and (3) it finally records the miner’s status with the staked amount and the associated rewardWriteoff and bonusWriteoff (lines 128-131). For illustration, we show below the related deposit() routine.

The Funds

Though this incident leads to unlimited minting of COVER tokens, these minted tokens are dumped at various DEX platforms to dramatically lower down the token price. The white-hat behind the attack has already returned the gains of 4,350 ETH back to the team in the following transaction: c2fd…982e.

About Us

PeckShield Inc. is an industry leading blockchain security company with the goal of elevating the security, privacy, and usability of the current blockchain ecosystem. For any business or media inquiries (including the need for smart contract auditing), please contact us at telegram, twitter, or email.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store