Back to all stories
Reports
Incident Analysis
Cauldron Flashloan Attack
9/7/2022
Cauldron Flashloan Attack

TL;DR

On Sep-06-2022 07:26:41 PM +UTC, a contract named CauldronV2 (address: 0xe767c...) suffered a loss of about ~$370K due to a vulnerability in the contract. The attacker was able to manipulate the exchange rate in the contract and withdrew 998K NXUSD with ~500K USD worth of LP tokens. The attacker received a profit of ~370k USDC. Funds are currently still sitting in the attacker’s wallet as of time of writing. This attack was detected by our CertiK Skynet monitoring system.

Previous Avalanche Incidents

Prior to this Flashloan attack on Avalanche network, Vee Finance was an Avalanche protocol that was exploited for a loss around $35 million. This incident happened shortly after Vee Finance was launched on the Avalanche network. The attacker was suspected to have stolen assets on one of Vee’s Finances trade contract address.

Zabu Finance, an Avalanche-based decentralized finance (DeFi) protocol, was exploited for $3.2 million. The attacker used Zabu’s “Transfer Tax” mechanism to mint tokens, causing their value to slide to zero from about $0.0047. The attacker later removed 4.5B ZABU tokens which he later exchanged on Trader Joe’s and Avalanche Pangolin exchanges on the Avalanche network.

Summary

Avalanche is a layer-1 smart contract platform built by Ava Labs and has been increasingly popular over the last few years and regarded as being in the top 20 crypto in market cap terms. The Avalanche network consists of an ecosystem of decentralized apps as well as staking initiatives via its “proof-of-stake” consensus mechanism. The flash loan attack took place at around 3:26 pm EST on Tuesday 6 September on the Avalanche blockchain. The attacker took ~$370,000 USDC from a smart contract after interacting with several asset and liquidity providers. The identity of the attacker still remains unknown however the funds still remain in wallet 0x8ec7… at this time of writing. Avalanche has seen a few exploits in the past but this is the first major flashloan attack of this kind in 2022 that has been recorded on that network.

Exploit Transactions

[https://snowtrace.io/tx/0x0ab12913f9232b27b0664cd2d50e482ad6aa896aeb811b53081712f42d54c026 ]

Addresses

Attacker:

0x6999...

Attacker contract (unverified):

0x16b9...

Profit recipient:

0x8ec7...

CauldronV2/Vulnerable contract:

0xe767...

DegenBox:

0x0b1f...

Attack Flow

(parts of this flow have been simplified for ease of reading)

Attacker contract flashloaned 51M USDC from AAVE. 

Attacker contract swapped 280K USDC to WAVAX with JoeSwap, then added liquidity with the WAVAX and 260k USDC. It received about 0.04533 LP token as a result.

Attacker contract swapped the remaining 50.46M USDC for WAVAX from the previous pool. This changed the reserve of the pool. 

Attacker contract called function updateExchangeRate in CauldronV2. The contract updates one of its state variable ExchangeRate according to the rigged reserve amount of the previous JoeSwap pool. 

Attacker contract called function cook in CauldronV2 to deposit 0.04533 LP tokens and withdraw 998k NXUSD. Because of the manipulated exchangeRate variable, the solvency check passed, and CauldronV2 initiated a transfer of 998k NXUSD from DegenBox to the attacker contract. 

The attacker contract swapped the WAVAX back to USDC, made normal interactions with Curve.fi without gaining profit, and eventually paid back the flashloan. The final profit was about 370K USDC, and it is transferred to address 0x8ec7...

Vulnerability

Vulnerable contract CauldronV2 is basing its exchangeRate calculation on the reserves of an external pool, which can be largely affected by injecting floanloan’d amounts. Meanwhile, the exchange rate can be updated by external call. This makes it possible for the attacker to manipulate the exchangeRate in contract CauldronV2. 

Function updateExchangeRate is a public function:

Pic 1

The variable rate is calculated by oracle.get(oracleData), where as the oracle calculates the rate basing on the reserves of JoeSwap pool:

Pic 2

Function cook allows the attacker to withdraw and deposit asset as long as the provided collateral is solvent. The _isSolvent check take exchangeRate as input, which was manipulated in this incident.

Pic 3 Pic 4

As a result, the attacker was able to receive ~1M NXUSD in exchange of 500K USD  worth of LP token. 

Profit and Assets Tracing 

Address 0x8ec7... received the profit: ~370K USDC by the end of the exploit.

50,000 of the profit was swapped to ~2713 WAVAX and stays in the contract as of 9/6 21:32 UTC. (tx: 0xe100...)

The rest of the USDC token was transferred to

Stargate Finance: S*USDC Token 

(tx: 0xe2d1... and 0x36bf...)

Conclusion:

With ~$339 million stolen by flashloan attacks this year, this incident is just another example of how these attacks have been increasingly been favored by fraudsters. Nereus posted a post-mortem where they stated that they: “quickly consulted security experts, developed a mitigation plan, and notified law enforcement to support efforts”. This attack could’ve been prevented through third party audits and penetration tests as the exchange rate is dependent on an external contract. CertiK’s highly skilled and motivated team is always here to help conduct these audits and pen-tests and trace stolen assets and report to our law enforcement network. Lacking that, we can assist through detection with our 24/7 CertiK Skynet monitoring service.

;