立刻保护您的项目
借助最大的web3安全提供商来增强您的项目。
CertiK 安全专家将审核您的请求,并尽快与您联系。

DFX Finance

报告 ·事件分析 ·
DFX Finance

TL;DR

On Nov 10, 2022, DFX Finance's swapping contracts were attacked, leading to a loss of ~$5M.

Introduction

At 8 PM UTC on Nov 10, 2022, DFX Finance's swapping contracts were attacked, leading to a loss of approximately $5M. The attacker took advantage of the vulnerable flashloan mechanism in the swapping contracts, bypassed the check of repaying the flashloan by depositing tokens to the contracts, and withdrew tokens from contracts after finishing the flashloan.

Attack Flow

  1. The attacker flashloaned 223K CAD coin and 90K USD Coin from the pool.
  2. In the flashloan callback function, the attacker called deposit() function with the flashloaned tokens AND some additional tokens.
  3. Since the deposit() function call increased the balance of both tokens in the pool, the balance check was bypassed.
  4. Therefore, the attacker “repaid” the flashloan via the deposit() invocation, but instead got the 1.58M LP tokens via the deposit() invocation.
  5. The attacker finally called withdraw() function to burn the LP tokens and got the CAD tokens and USD Coin as profit.

Screen Shot 2022-11-10 at 5.52.29 PM

(35 * 100 + 2) ETH(Tornado cash) + ~550K()(remain) = ~5M DeBank | Your DeFi wallet

Addresses

Exploiter: DeBank | Your DeFi wallet

Attacker Contract: [https://etherscan.io/address/0x6cfa86a352339e766ff1ca119c8c40824f41f22d#code

Decompiled code of 0x6cFa86a352339E766FF1cA119c8C40824f41F22D,](https://library.dedaub.com/contracts/Ethereum/6cFa86a352339E766FF1cA119c8C40824f41F22D/decompiled?line=1) a smart contract deployed on the Ethereum blockchain

One of the exploit txn: https://etherscan.io/tx/0x9ef031cfedd1bd8ad91d84418ee6110e5558276a338fc11892f0013d269f27f8

Profit and Assets Tracing

Screen Shot 2022-11-10 at 5.48.58 PM

Screen Shot 2022-11-10 at 5.49.06 PM

Vulnerability

The vulnerability lies in the design issue where the contract does not take into consideration that the flashloaned tokens can be used for deposit and “repay” flashloan. Therefore, when calling flashloan, the contract needs to prevent other functions like “deposit()” function to increase the balance of the pool. A recommended solution is to add a reentrancy guardrail for all related functions.

At time of writing DFX had paused impacted protocols, but vulnerability remains.

相关博客

CertiK Ventures Announces Investment in Zoo Finance
消息 ·公告

CertiK Ventures Announces Investment in Zoo Finance

CertiK Ventures is proud to announce our investment in Zoo Finance – a DeFi protocol pioneering the next evolution of blockchain fundraising via its Liquid Node Token (LNT) architecture.

Polter Finance Incident Analysis
报告 ·事件分析

Polter Finance Incident Analysis

On 16 November 2024, Polter Finance was exploited for ~$8.7 million, due to a price manipulation exploit. Polter Finance paused their platform shortly after to investigate.

Dough Finance Incident Analysis
报告 ·事件分析

Dough Finance Incident Analysis

On 12 July 2024, Dough Finance was exploited for ~$2.1m via multiple flash loan transactions. The attacker exploited arbitrary call vulnerabilities in the Dough ConnectorDeleverageParaswap contracts which allowed them to transfer WETH directly from these vulnerable contracts.