V2 Vulnerability Post Mortem

DFX Finance
6 min readNov 22, 2022

--

Website | Twitter | Telegram | Discord | Github | Medium

On November 10th 2022, DFX experienced an attack on the protocol’s smart contracts. The affected smart contracts were part of DFX v2 which were launched mid-October as part of DIP-014.

Vulnerability Explanation

DFX’s Curve.sol is responsible for many core functions of the AMM (Automated market maker) including minting and burning of LP tokens as well as facilitating stablecoin trades.

One of the new features introduced to the smart contract as part of the upgrade from V1 to V2 was the ability for users to create ‘Flashloans’.

Flashloans allow anyone to borrow assets within the curve.sol contract without putting up any form of collateral as long as the assets, plus a small fee, are returned within a one block transaction. Modelled after Uniswap’s flashloans, anyone would be able to construct a contract conforming to the ‘IFlashCallback’ interface to kick off the loan.

The attacker found a very important ‘nonReentrant’ modifier missing from the flash function and was able to use the loaned funds and deposit them back into the Curve. This gave the attacker newly minted LP tokens that they would be able to withdraw from.

What are Flashloans: https://blog.chain.link/flash-loans/

Exploiter Contract

The following example contract demonstrates how the exploiter was able to abuse the ‘flashloan’ function and escape with more USDC and foreign stablecoins than what he started with. The attacker’s contract has two main functionalities. The first is to execute on the flash loan and the second is to handle a callback made by the curve which will be talked about in the next step.

The attack can be broken down into 4 steps.

Overall breakdown
  1. The attacker triggers the curve’s flash function.

To execute a flash loan let’s take a look at this reentrancy test here. The parameters are packed with data about what tokens are being borrowed and the amount of each in order to kick off a flashloan.

2. The curve sends the loaned tokens to the attacker’s contract and calls it’s callback function.

Upon receiving a flash call, the curve contract will record the balance of each of the tokens being loaned out as well as the associated fee before sending them out to the attacker. The curve expects all flash callers to conform to the ‘IFlashCallback’ interface so it can call on its ‘flashCallback’ function. The reason why a callback exists is so that the person making the flashloan can put in their logic to utilize the funds before returning them to the contract.

3. The attacker’s contract calls the deposit function and the curve sends it the proportional amount of LP tokens (Reentrancy).

In the callback function, the attacker can call the deposit function instead of returning the funds since there was no ‘nonReentrant’ modifier in place. Just after the attacker’s callback has been completed, the curve contract will check the balances of each token in its reserve to be equal to or greater than the previously recorded balances in step 2. Since the flash function acknowledges the funds have been returned it will not revert the entire transaction. As a result of this interaction the attacker’s contract now has freshly minted LPT tokens out of thin air.

4. The attacker’s contract calls the withdrawal function and the curve sends it the proportional amount of USDC and its respective foreign stablecoin.

The attacker ends the attack by executing curve’s withdrawal functions on the LPT they have just minted. The LPT is then burnt and the proportional amount of USDC and foreign stablecoins are sent to the attacking contract.

Had the right ‘nonReentrant’ modifier been in place, the attacker would have been able to only execute the flash loan function, and the entrancy state would have been set to true. This would have denied the attacker access to the deposit function within the same block transaction.

Core contributors have since added the ‘nonReentrant’ protection here:
https://github.com/dfx-finance/protocol-v2/pull/74

Credit and massive thank you to Matias from Kudelski Security for the Miro board. ❤

Miro Board:
https://miro.com/app/board/uXjVPEsGW18=/?share_link_id=473258429790

Security Audit

The DFX protocol had commissioned Sebone (previously PickAx) to provide a detailed and full smart contract audit of the protocol.

Sebone had provided 2 auditors, Alexander Blair and Eli Leers for 6 person weeks to produce a “Full Manual Security Audit” outlined here:

https://github.com/dfx-finance/protocol-v2/blob/main/audits/2022-09-DFXv2-Sebone-Audit.pdf

The flash loan function was in full scope of the audit and specifically mentioned in the Twitter Spaces AMA between DFX Finance and Sebone on October 13, 2022 here: https://twitter.com/i/spaces/1lPKqBQloBZGb

At the 10:00 — 11:05 mark, Eli has provided context and background on their expertise in identifying attacks based on 4 years of experience in Solidity and smart contract audits.

At the 11:30 mark, Eli mentions ‘reentrency’ issues being the most common attack vectors.

At the 12:00 mark, Alex mentions there were no ‘reentrency’ bugs in the DFX contracts.

As a result of this disappointing oversight by the Sebone team, it is not recommended that DFX Finance use their services again for any future security audits.

Next Steps

A proposal will be submitted to restart the DFX v2 pools with the updated smart contracts. The proposal will consist of an initial ‘guarded’ launch, 2 independent security audits, and an Immunefi bug bounty program.

Join us!

If you are new to DFX Finance, the best way to stay on top of all the latest developments is to follow us on Twitter and join our Discord or Telegram!

We are very excited about this next step for DFX Finance, and we look forward to sharing more with you all very soon.

Thank you for the support and stay safe!

About DFX Finance

DFX is a decentralized foreign exchange (FX) protocol that facilitates the seamless exchange of fiat-backed stablecoins denominated in a growing number of currencies. The current reliance on USD-pegged stablecoins creates undue economic friction for those in other parts of the world,
and DFX is here to change that.✨

Using a hyper-efficient AMM, optimized for low volatility trading, DFX provides FX swaps with rates that will beat any bank, money changer, or FX platform.💱

We’re super excited to build the FX infrastructure for DeFi and would love to hear more of your ideas and comments on how we can make DFX better together! ❤

DFX Finance. Stablecoins for the world. 🌐

Website | Twitter | Telegram | Discord | Github | Medium

--

--

DFX Finance

The most hyper-efficient decentralized FX protocol optimized for stablecoins. Check it out — https://exchange.dfx.finance/