Analysis and Response to the July 4th baoETH Exploit
Summary
On July 4, 2023 at 13:30 UTC, Bao’s baoETH vault fell victim to an exploit involving non-seeded collateral. The attacker stole approximately 40 ETH (resulting in a profit of 23.5 ETH) of treasury funds by using flash loans and token exchanges at block 17620871. You can view the transaction here. The baoETH vault had deposits and further borrowing immediately paused. No other collateral was affected, and the baoUSD and baoETH ballasts remain safe to use. The baoETH vault will be brought back online once the issue is resolved and thoroughly tested.
Attack Details
The attacker deposited the smallest possible amount of bSTBL into the baoETH vault and received bdbSTBL (the equivalent of cTokens), setting the contract’s exchange rate. Next, the attacker transferred a large amount of bSTBL (~34.8m bSTBL) to the bdbSTBL contract. This resulted in the smallest possible number of bdbSTBL tokens being worth a large amount of bSTBL.
The attacker then borrowed enough baoETH (41.3 baoETH) to drain the liquidity pool on Balancer and sold it for wETH.
Lastly, the attacker could withdraw their collateral without repaying their loan due to a bug in the compound V2 contracts that Bao Vaults are based on. No fractional amounts were possible to withdraw due to the smallest possible number of bdbSTBL tokens being worth the full value of the collateral. The contract defaulted to sending back the smallest possible number of tokens instead of zero resulting in all the collateral being returned.
Ultimately, the attacker stole 41.3 baoETH, which they could withdraw to WETH. The gas for the transaction, contract deployments, and flash loan totaled ~20 ETH, so they netted ~21 ETH — which they subsequently bridged out shortly after.
A similar attack occurred in April of this year. However, the Bao Finance team was unaware of this issue before baoETH was exploited.
Why it happened
After reviewing thoughtfully how the attack was performed and also by understanding how a similar exploit occurred at The Hundred Finance protocol, we determined that one important step wasn’t performed, which was to initialize a first transaction for each collateral permitted inside a vault. In this case, bSTBL wasn’t initialized correctly.
If a regular user has performed the first deposit, the exchange rate between bSTBL and bdbSTBL would have been set normally. The exploit was made possible as the first deposit was made by a malicious actor profiting from a rounding issue in the redemption function.
Next Steps
What is considered a flat loss for the protocol’s treasury as a whole, the Bao Finance team has taken this as an opportunity to reassess and improve our security measures to prevent similar exploits from happening. From reviewing our deployment procedures to implementing more rigorous testing and auditing procedures, we are taking extra steps to ensure the safety of our users’ funds. Our team is committed to providing a secure and reliable platform for our users, and we will continue to work towards that goal.
Future deployments will have a collateral factor of 0 until a minimum deposit has been made, preventing this kind of attack from happening again. In addition, the attack vector will be added to our testing going forward, and further communication will be made when we are ready to resume the baoETH vault.
Lastly, the Bao Finance guardians take full responsibility for what was essentially a preventable exploit. While the compound v2 contracts security were thoroughly reviewed before deploying baoUSD in 2022, new attack vectors were discovered between baoUSD and baoETH deployments that the team was unaware of. This serves as a stark reminder that even widely used and battle-tested contracts with multiple audits can have undiscovered vulnerabilities, and every new deployment should take this into consideration.
Final Thoughts
Bao Finance is listed on Immunefi, and any critical vulnerabilities disclosed are eligible for awards of up to $100k. In this case, the attacker could have made much more profit by disclosing the vulnerability rather than exploiting it, as it qualifies as critical severity. Bao Finance highly regards the whitehat community and encourages all protocols to do the same.
Special thanks to Peckshield for promptly posting the suspicious transaction and the entire Bao Finance team for effectively resolving the issue. By collaborating, we can enhance the safety of the DeFi space.
