Knownsec Blockchain Lab |The dike of a thousand miles was destroyed in the ant nest, and the Fortress Protocol was attacked.
Preface
On May 9, 2022, Beijing time, Knownsec Blockchain Lab detected that the lending protocol Fortress Protocol on the BSC chain was attacked due to an oracle problem, which was recently detected by the laboratory. In the third oracle attack event, the losses included 1,048 ETH and 400,000 DAI, totaling about $300W. Currently, AnySwap and Celer have been used to cross-chain to Ethereum using Tornado for currency mixing.
Knownsec Blockchain Lab tracked and analyzed this incident for the first time.
Basic information
Attacked Controller: 0x01bfa5c99326464b8a1e1d411bb4783bb91ea629
Attacked oracle address: 0xc11b687cd6061a6516e23769e4657b6efa25d78e
Attacker address: 0xA6AF2872176320015f8ddB2ba013B38Cb35d22Ad
Attack contract: 0xcD337b920678cF35143322Ab31ab8977C3463a45
tx: 0x13d19809b19ac512da6d110764caee75e2157ea62cb70937c8d9471afcb061bf
Vulnerability Analysis
The project is still an imitation disk of Compound, but because the project party has annotated the original check in the implementation of the oracle machine, it does not require enough power to tamper with the price through `0xc11b687cd6061a6516e23769e4657b6efa25d78e#submit`
The attacker borrowed assets from other pools by changing the price of FTS in the protocol. The lending pools in the market are as follows:
Attack Process
1.The attacker purchased FTS tokens and voted to add FTS as collateral through a proposal, the proposal ID is 11 ;
2. Change the price of FTS by calling the oracle `submit` function
3.The attacker uses 100 FTS as collateral to call enterMarket to enter the market;
4. Because the market price has a problem with the value calculation of FTS, the attacker uses the collateral to directly call `borrow` to borrow;
Assets borrowed:
5. Since the 100 FTS has little value and does not need to be retrieved, the attacker still uses the other FTS used in the first step to fully cash out the Pancake exchange.
Summarize
The reason for this attack is that there is a problem with the compound imitation disk when the oracle is used. Recently, a large number of Compound imitation disk projects have been attacked. We urge all project parties who forked Compound to take the initiative to check themselves. The known attacks are mainly due to the following problems:
The embankment of a thousand miles was destroyed in the ant’s nest. It can be seen from the internal call that the attacker used getAllMarkets to traverse the underlying assets of all markets in turn and cash out FTS completely. It is recommended that the project party must build on a full understanding and sufficient third-party security audits for their own different implementations.
