Incident summary
On 10 June 2024, YOLO Games announced via their X account that a security vulnerability had been reported on the Bazaar LBP contract. As a consequence the YOLO LBP sale was ended early and users holding rYOLO would be refunded.
The security vulnerability was due to unchecked arguments in the Bazaar LBP smart contract. Anyone was able to withdraw assets from the Bazaar pool using the BazaarLBPFactoryBlast address as a sender address. A whitehat was first to notice the vulnerability which they exploited and rescued 392 ETH (~$1,387,475) and 880,539,680 rYOLO. The amount rescued consisted of 354 ETH added to the pool by the project and approximately 39 ETH of user’s funds.
Exploit Transactions
- Exploit transaction https://blastscan.io/tx/0x7fdd140f7631f62d62f7256ee4a38af51a4723ad5d66adc9b9685bf78f750f2d
Attack Flow
On 9 June at 07:27:23 PM 0xaEc7, creator of Bazaar Receipt YOLO (rYOLO), added 354 ETH and 888,888,888 YOLO, swapped for rYOLO, to the BazaarVaultBlast pool (0xefb4). https://blastscan.io/tx/0xa99a60a7cfc316c80b3b6450bd2c10ba87a51bde7262fed4cd27c723b4d70e45
On 10 June, a little over 24 hours later, the whitehat called BazaarVaultBlast.exitPool(), withdrawing 392.3689 ETH and 880,539,680 rYOLO.
- Within 3 minutes of the exploit transaction the white indicated to the project to initiate dialogue.
Vulnerability
Exploiter address: 0x3cf5B87726Af770c94494E886d2A69c42A203884 Vulnerable Contract Address: 0xdC4A9779D6084C1ab3e815B67eD5e6780cCF4d90
The root cause of the incident was due to unchecked arguments. The exitPool() function takes four arguments:
- poolID
- sender
- recipient
- request The whitehat passed in 0xb66585C4E460D49154D50325CE60aDC44bc900E9 (BazaarLBPFactoryBlast) as the sender. As there were no checks to make sure the whitehat is the owner of that address they were allowed to withdraw the tokens in the pool.
Whitehat
Fortunately, this exploit was carried out by a whitehat who immediately reached out to the team. The team responded and immediately offered a bounty. Though negotiations were held in private, we can see on-chain that the whitehat returned 353 ETH (90%) ($1,274,040) of the stolen funds, keeping 10% as a reward.
After the return of funds YOLO confirmed that refunds had been sent to all users who had entered the YOLO LBP sale.
Conclusion
In this exploit, the whitehat has returned a large part of the stolen funds. Since the beginning of 2024, we have observed that out of approximately $1B stolen, around $177,728,142 (about 17%) has been returned. For comparison, that percentage is more than in 2023, where $1.8 billion of funds were stolen with approximately $219 million returned, around 11,81%. To raise your enhance your web3 security knowledge, join Skynet Quest and check out our dedicated article CertiK - Introducing Skynet Quest: The Web3 Security Journey of a Lifetime.
