Smart Contract Security Newsletter #47

Shayan Eskandari
ConsenSys Diligence
5 min readNov 26, 2020
Credit for the image goes to Casey Coauette

A new blog post, Token Interaction Checklist is out. A checklist to help developers and security engineers to navigate the possible issues that could arise from interacting with many different tokens, especially if they want to support user-inputted tokens.

A pretty useful update to our VSCode tool, Solidity Metrics, has been released. In this update we introduced Solidity dopperlganger, a tool to check if a contract is similar to a set of known contracts stored in a Database. The best use case is for smart contract auditors to check if a library (e.g. SafeMath) is a copy of a reputable source (e.g. OpenZepplin) or if it has been modified.

Legions, EVM Node Security Toolkit has also been updated and now you can use Teatime modules within the same interactive shell environment. Teatime is a plugin-based RPC attack framework to spot misconfigured blockchain nodes.

ConsenSys Diligence is hiring DeFi security auditors.

Distilled News

Ethereum Accidental Fork

Mid-November, engineers at Optimism found an issue regarding older versions of Go-Ethereum, a consensus bug affecting the versions of Geth (v1.9.9) and (v1.9.13). With an assumption that most Geth nodes are updated, they send a transaction triggering a fork on Ethereum network, which seems to affect Infura mainnet as well.

Flashloans are here to stay

During the last 2 weeks, there have been many DeFi projects that were affected by attacks using flashloans, many of them facilitating market (oracle) manipulation. Here are detailed description of these attacks:

  • Akropolis (2m DAI)

Akropolis was exploited through a combination of flash loans from dYdX, reentrancy, and unchecked token whitelists. The exploiter called `deposit()` in SavingsModule.sol and used the reentrancy code when `transferFrom()` was called, re-entering the `deposit()` function. This exploit was used 17 times to drain the total 2M Dai.

Value DeFi used Curve for their price oracle, which was exploited through a flashloan to skew the price of DAI/USDC and USDT/USDC by purchasing a large amount of DAI and USDT. The manipulated USDC price allowed the exploiter to mint more $3Crv than they should have received, so once they paid back the DAI and USDT, they burned their $3Crv tokens to remove liquidity and redeem extra DAI.
For the icing on the cake, the exploiter sent a 2m DAI back to the exploited contract with the message, “do you really know flashloan?”

  • Cheese Bank ($3.3m USDC/USDT/DAI)

Where Value DeFi’s failure depended on a Curve oracle, Cheese Bank’s depended on a Uniswap oracle. The weighting of CHEESE/ETH was manipulated by selling ETH loaned from dYdX into $CHEESE, artificially raising $CHEESE price. Cheese Bank used the amount of WETH in a pool to calculate the price of corresponding LP tokens, allowing the bad actor to drain all the USDC, USDT, and DAI held by Cheese Bank.

Origin’s flash loan hack is eerily similar to others hacked this week. An ETH flashloan from dYdX traded for USDT and DAI on Uniswap. The USDT was transferred to OUSD’s vault and minted OUSD. Then, DAI was transferred to `mintMultiple()`, where reentrancy from a `safeTransferFrom()` triggered a rebase of the OUSD supply and increased everyone’s OUSD balance by 2.41x. The additional OUSD balance of the exploiter was then swapped back to DAI. Origin is offering a $1M bounty for anyone that supplies substantial information or evidence leading to the return of customer funds.

Note: You can find a straightforward example of reentrancy, as well as how to prevent reentrancy, in Consensys’ Smart Contract Best Practices. For flash loan information and prevention, checkout Prevent Flash Loan Attacks.

Pickle Jar went bad

An attacker drained 19 million DAI from pickle.finance’s pDAI Jar (which is a forked version of Yearn Vaults v1) by utilizing several flaws with a public function earn():

  • No whitelist of official jars
  • Allow `_target` and `_data` without checks
  • Using `delegatecall` in an unchecked function

Altogether, the attacker created “evil” jars where they could withdraw cDAI to their evil jar, inject their `data` into parameters to call their malicious contract and send the cDAI to the evil jar’s Controller, which was then used to transfer funds to the attacking smart contract. Once complete, the attacker redeemed their cDAI for DAI. COVER Protocol had their first claim from the Pickle hack and 282,035 DAI is redeemable for payout.

If you enjoy this newsletter please share it with your friends, or ask them to sign up here Smart Contract Security Newsletter

This issue of the newsletter is brought to you by Shayan Eskandari and Carl Farterson.

--

--