Decoding AllBridge’s $570K Flash Loan Exploit | QuillAudits
Oh, just another day in the world of DeFi, where millions of dollars can be lost in a flash loan exploit and then returned as a white hat bounty. No big deal.
Summary:
On April 2, 2023, AllBridge experienced a flash loan exploit on the BNB chain. The stablecoin pools for USDT and BUSD were attacked, resulting in hackers stealing approximately $570K.
Introduction to AllBridge Protocol:
Allbridge enables users to transfer assets between different networks. It serves as a bridge between EVM-compatible blockchains (such as Ethereum, Polygon, and BSC) and non-EVM-compatible blockchains (such as Solana and Terra).
To learn more about Allbridge, check out the official documentation.
Vulnerability Analysis and Impact:
Root Cause:
The root cause of the issue was a logic flaw in the withdraw function. This flaw allowed for manipulation of the swap price of the pool. The exploiter acted as a liquidity provider and swapper, enabling them to manipulate the price and drain the funds from the pool.
On-Chain Details:
BUSD & vUSD Pool: 0x179aad597399b9ae078acfe2b746c09117799ca0
USDT & vUSD Pool: 0xb19cd6ab3890f18b662904fd7a40c003703d2554
Bridge Contract: 0x7E6c2522fEE4E74A0182B9C6159048361BC3260A
Attacker EOA 1: 0xC578d755Cd56255d3fF6E92E1B6371bA945e3984
Attacker EOA 2: 0x2b3cff12c02625518deb0af14684999fb6e3e360
Attack Txn: 0x7ff1364c3b3b296b411965339ed956da5d17058f3164425ce800d64f1aef8210
The Attack:
- The attacker flashloans $7.5M of BUSD, swaps $2M BUSD for $2M $BSC-USD in 0x2c3c-pool and deposits into 0xb19c-pool. Then he deposits $5M BUSD into 0x179ac-pool.
- The attacker then swaps $500K BSC-USD for $BUSD in Allbridge’s Bridge contract. At this point, tokenBalance(BUSD) in the 0x179ac pool increases while the number of vUSDs decreases.
- The attacker then removes liquidity from the 0x179a pool, which exacerbates the imbalance between vUSDbalance and tokenbalance. As a result, the vUSD/BUSD ratio has increased significantly.
- As a result of a change in ratio, the attacker managed to swap out $790,000 worth of BSC-USD from ALLBridge using only $40,000 worth of BUSD and he withdraw 1.9M $USDT from the 0xb19c-pool. The attacker then swapped out 2.7 million $USDT for 2.7 million $BUSD. Finally, they repaid the flash loan and kept the remaining balance as profit.
- The exploiter sent 1,700 BNB (which included profits from the previous attack) to Tornado Cash.
After the Exploit:
Apr-02–2023: The team announced the incident on Twitter and shared further details about the exploit and temperorarily suspended the bridge.
Apr-03–2023: They sent the message on-chain to the attacker, offering a 10% bounty in exchange for the return of the funds.
Apr-03–2023: The attacker has returned around 1500 BNB ($466,144) to the project, as seen in this transaction. They then kept the remaining funds as a white hat bounty. The team shared additional updates about this on Twitter.
Apr-05–2023: About $159k worth of BNB (approximately 507.3 BNB) has been transferred from an address labeled as Allbridge Exploiter to Tornado Cash.
How could the attack have been prevented?
Flash loan attacks in the DeFi space have significantly increased. In the case of AllBridge, the attack was caused by a logic vulnerability in the withdraw function. To prevent such errors, projects can implement code review and pair programming, test-driven development, automated testing tools, multiple smart contract audits, and use formal verification techniques to prove the code’s correctness.
Similar projects secured by QuillAudits:
Web3 security- Need of the hour
Why QuillAudits for Web3 Security?
QuillAudits is well-equipped with tools and expertise to provide cybersecurity solutions, saving the loss of millions in funds.
Want more Such Security Blogs & Reports?
Connect with QuillAudits on:
Linkedin | Twitter | Website | Newsletter | Discord | Telegram
New to trading? Try crypto trading bots or copy trading on best crypto exchanges
