Unraveling the $90K Mystery: Inside Ramses Exchange’s Reward Exploit
Overview:
On October 24th, 2024, Ramses Exchange on Arbitrum faced a sophisticated heist, losing over $90,000 due to a critical flaw in its reward distribution logic. An attacker uncovered a vulnerability that allowed them to claim rewards repeatedly across multiple tokenIds without ever decreasing the total rewards supply. By strategically depositing tokens and invoking getPeriodReward()
with various NFTs, the attacker exploited the contract’s vulnerability to track reward limits per period, effectively draining the reward pools and executing a masterful raid on the exchange's assets.
About Project:
Ramses is a next-generation AMM designed to serve as Arbitrum’s central liquidity hub, combining the secure and battle-tested superiority of Uniswap v3 with a custom incentive engine, vote-lock governance model, and streamlined user experience.
Exploit Details:
Ramses Token Contract Address: 0xaaa6c1e32c55a7bfa8066a6fae9b42650f262418 Attack Transaction Hash: 0xb91c4e0debaf0feb1f20c979eebc1282c8024ae299ef5903591badcf1f4938bb Attacker’s Address: 0x1d8b0Ee375750839567f266FA75f6FBc9D6B977c
Attack Process:
- The attacker discovered a vulnerability in Ramses Exchange’s reward distribution logic, which allowed rewards to be claimed multiple times without reducing the total rewards supply.
- The attacker called the
getPeriodReward()
function with different NFT tokenIds, enabling them to claim rewards. - The contract failed to decrease
tokenTotalSupplyByPeriod
after each reward claim, leading to an inflated total reward supply.
- The attacker reset or split the original NFT into new tokenIds (e.g., from 18785 to 18787) to bypass the claim-tracking variable
veWithdrawnTokenAmountByPeriod
. - The new tokenIds allowed the attacker to repeatedly claim rewards as if they were different NFTs.
- The attacker specified arbitrary period values in the
getPeriodReward()
function, allowing them to access previously unclaimed rewards from earlier periods due to the contract’s lack of period validation against the current time.
- By repeatedly invoking
getPeriodReward()
and exploiting the inflatedtokenTotalSupplyByPeriod
, the attacker drained significant rewards from the exchange. - The attacker successfully transferred the stolen funds, resulting in a total loss of over $90,000 for Ramses Exchange.
The Root Cause
The root cause of the Ramses Exchange hack was a flaw in the reward distribution logic within the FeeDistributor contract. Specifically, the contract failed to decrease the tokenTotalSupplyByPeriod
after each reward claim, resulting in an inflated reward supply. This oversight allowed the attacker to repeatedly claim rewards without a corresponding reduction in available rewards. Additionally, the getPeriodReward()
function did not validate if the specified period matched the current time, enabling the attacker to exploit past periods for unclaimed rewards.
Flow of Funds
The attacker deposited tokens, repeatedly invoked the getPeriodReward()
function with different NFT tokenIds to claim excess rewards, and then transferred the stolen funds out of Ramses Exchange, resulting in a loss of over $90,000. Here’s the fund flow:
Post Exploit Scenes
Here is what Ramses responded to the exploit in their discord: ”funds are safe. Liquidity provider funds are safe. User veNFT positions are safe.”
How could they have prevented the Exploit?
- Properly Decrementing
tokenTotalSupplyByPeriod
: Ensure that thetokenTotalSupplyByPeriod
is decreased appropriately after each reward claim to prevent inflated reward calculations. - Tracking Claims Per TokenId: Implement a robust mechanism to track rewards claimed per tokenId accurately, preventing the same tokenId from being used to claim rewards multiple times.
- Enforce strict validation of the period values in the
getPeriodReward()
function to ensure they align with the current time and prevent retroactive claims. - Conducting Thorough Audits: Engage reputable audit firms like QuiilAudits to conduct comprehensive security audits and fix potential vulnerabilities before they can be exploited.
Why QuillAudits?
Choosing a reputable audit firm like QuillAudits ensures that your protocol undergoes rigorous scrutiny from experienced security professionals. QuillAudits specializes in uncovering critical vulnerabilities and providing actionable remediation strategies. Our expertise helps safeguard your project from attacks, ensuring that security issues are addressed proactively.