USN v2.0’s Security Incident on July 6th, 2022 — Resolved

Issue fixed. No funds lost or stolen.

Image by Gerd Altmann from Pixabay

Executive Summary

On July 6th, 2022, the user pavladiv.near triggered a bug on the $USN v2.0 smart contract (not present in $USN v1.0) when they tried to redeem $USN for $USDT, and an incorrect amount of $USN was minted. All incorrectly minted $USN have been burnt and the smart contract has been fixed. No funds were lost or stolen.

The initial issue occurred when the contract was not able to redeem $USN for $USDT to a user who had not held $USDT in their account ever before. As the transaction failed, the smart contract proceeded to refund the user their $USN. This triggered an invalid conversion of decimal points, generating a total of $9,999,000,000,000.0 USN to the user account across two transactions.

The event was quickly noticed by the Decentral Bank team. Immediately, the $USN smart contract was paused to stop all $USN transactions and a fix was deployed for the incorrect decimal conversion.

• The bug within the $USN v2.0 smart contract that incorrectly generated $USN following a failed redemption attempt has been fixed.
• The fix for the minor usability issue, where users who have not held $USDT ever before cannot redeem $USN, is currently being tested and will be deployed shortly.

Who was affected?

No one. As the bug was caught immediately and none of the funds had been traded at that point, user funds have not been affected. The incorrectly minted $USN has been burnt with the fix. Therefore, the actual circulating supply of $USN and the Reserve Fund are not affected.

At the time of publishing, the total $USN minted is $114.16M, which can be verified by calling ft_total_supply on the $USN contract.

Image 1. Total USN minted supply. It can be observed how the total USN minted supply suddenly increased and quickly returned to its correct value

Technical Details

1. pavladiv.near interacted with the new on-chain $USN<>$USDT swap contract via the Decentral Bank website
2. User tried to redeem 5 $USN for $USDT.
3. There was an error within the Decentral Bank swap tool that caused the transaction to fail as the user had never held any $USDT funds in their account before. The swap tool was not able to deposit $USDT to the user.
4. The smart contract tried to transfer 4.9995 $USDT to the user. This transaction was conducted twice and both failed due to the aforementioned issue.
5. The $USN contract detected the “failure” and tried to refund the user 4.9995 $USN.

EVENT_JSON:{“standard”:”nep141",”version”:”1.0.0",”event”:”ft_mint”,”data”:[{“owner_id”:”pavladiv.near”,”amount”:”4999500000000000000000000000000"}]}

Refund $5000000000000000000 of dac17f958d2ee523a2206206994597c13d831ec7.factory.bridge.near to pavladiv.near

6. However, a bug caused a wrong conversion of decimal points and the user account was refunded with 4.9995 trillion $USN per transaction.

• Transaction #1: https://explorer.near.org/transactions/78ZJRSEaWa9RzzwktMSide2RQ5Q6AzC9xJVfRQMoCMqH
• Transaction #2: https://explorer.near.org/transactions/FmezbevJTJzpYn6LarheeejsTGL6yuJ8KrhppMfddiEQ

7. The bug that caused the wrong conversion of decimal points has been fixed and the contract has been updated, making sure that no funds were lost or stolen.

8. Transactions might still fail if the account has never held any $USDT funds when redeeming $USN for $USDT. This issue will be fixed asap and will be announced soon.

9. In the meantime, please make sure you have a small amount of $USDT or you have held $USDT in your account before if you still want to redeem $USN using the on-chain smart contract. Alternatively, you can use the Ref Finance stableswap pool to trade between $USN and $USDT.

Mitigation

1. handle_withdraw_refund function has been patched.
2. All handle_withdraw_refund transactions have been checked on the blockchain history. These are the only 2 transactions that have been compromised.
3. All pavladiv.near account transactions have been verified: there are no fund leaks.
4. migrate function was utilized to revert the state of the $USN contract: pavladiv.near account and the total supply has been reduced by 9,999,000,000,000.

Timeline (UTC)

Date: 06-JUL-2022

UTC Time | Event

07:35 | Bug triggered by user pavladiv.near

08:10 | It was detected that 9,999,000,000,000.0 $USN were deposited to user account

08:26 | Once it was noticed, the contract had been paused to stop any $USN transactions.

https://explorer.mainnet.near.org/transactions/ALbGo7mDPms4gnMQejuPT9MmYsbY2kASocHcxapBMkNd

14:12 | The contract was upgraded with revert via migrate function. DAO proposal #27

14:27 | The contract was unpaused. DAO proposal #28.

https://explorer.mainnet.near.org/transactions/GTHKYvxQcDmg3qbQYdJuPHAKMVxv7kXuc4tfJuRsgftx

Future Measures to be Taken

As a DAO issuing stablecoins, Decentral Bank takes security and trustworthiness very seriously. Moving forward, we are committed to take the following measures to secure the protocol to the best of our abilities, and instill trust in our users:

1. Fix usability corner case bug on Decentral Bank swap tool that causes transactions to fail when users have never held $USDT in their accounts prior to redeeming $USN. This will be done ASAP.
2. Additional smart contract code audits will be regularly conducted.
3. Additional alert systems will be deployed to notify the team about drastic changes in $USN emissions and in the state of the Reserve Fund.
4. Automatic contract pausing will be implemented for such situations.
5. A bug bounty program will be launched to help prevent future incidents
6. User pavladiv.near will be provided with a bounty for helping to find the issue.

For any further questions or concerns, please join the Decentral Bank Discord.

Website ⋅ Github ⋅ Twitter ⋅ Discord