Smart Contract Security Newsletter #47

Credit for the image goes to Casey Coauette

A new blog post, Token Interaction Checklist is out. A checklist to help developers and security engineers to navigate the possible issues that could arise from interacting with many different tokens, especially if they want to support user-inputted tokens.

Token Interaction Checklist | ConsenSys Diligence

A pretty useful update to our VSCode tool, Solidity Metrics, has been released. In this update we introduced Solidity dopperlganger, a tool to check if a contract is similar to a set of known contracts stored in a Database. The best use case is for smart contract auditors to check if a library (e.g. SafeMath) is a copy of a reputable source (e.g. OpenZepplin) or if it has been modified.

Legions, EVM Node Security Toolkit has also been updated and now you can use Teatime modules within the same interactive shell environment. Teatime is a plugin-based RPC attack framework to spot misconfigured blockchain nodes.

ConsenSys Diligence is hiring DeFi security auditors.

Distilled News

Ethereum Accidental Fork

Mid-November, engineers at Optimism found an issue regarding older versions of Go-Ethereum, a consensus bug affecting the versions of Geth (v1.9.9) and (v1.9.13). With an assumption that most Geth nodes are updated, they send a transaction triggering a fork on Ethereum network, which seems to affect Infura mainnet as well.

Flashloans are here to stay

During the last 2 weeks, there have been many DeFi projects that were affected by attacks using flashloans, many of them facilitating market (oracle) manipulation. Here are detailed description of these attacks:

• Akropolis (2m DAI)

Akropolis was exploited through a combination of flash loans from dYdX, reentrancy, and unchecked token whitelists. The exploiter called `deposit()` in SavingsModule.sol and used the reentrancy code when `transferFrom()` was called, re-entering the `deposit()` function. This exploit was used 17 times to drain the total 2M Dai.

• Value Defi (5.4m DAI)

Value DeFi used Curve for their price oracle, which was exploited through a flashloan to skew the price of DAI/USDC and USDT/USDC by purchasing a large amount of DAI and USDT. The manipulated USDC price allowed the exploiter to mint more $3Crv than they should have received, so once they paid back the DAI and USDT, they burned their $3Crv tokens to remove liquidity and redeem extra DAI.
For the icing on the cake, the exploiter sent a 2m DAI back to the exploited contract with the message, “do you really know flashloan?”

• Cheese Bank ($3.3m USDC/USDT/DAI)

Where Value DeFi’s failure depended on a Curve oracle, Cheese Bank’s depended on a Uniswap oracle. The weighting of CHEESE/ETH was manipulated by selling ETH loaned from dYdX into $CHEESE, artificially raising $CHEESE price. Cheese Bank used the amount of WETH in a pool to calculate the price of corresponding LP tokens, allowing the bad actor to drain all the USDC, USDT, and DAI held by Cheese Bank.

• Origin Dollar ($7m DAI/ETH)

Origin’s flash loan hack is eerily similar to others hacked this week. An ETH flashloan from dYdX traded for USDT and DAI on Uniswap. The USDT was transferred to OUSD’s vault and minted OUSD. Then, DAI was transferred to `mintMultiple()`, where reentrancy from a `safeTransferFrom()` triggered a rebase of the OUSD supply and increased everyone’s OUSD balance by 2.41x. The additional OUSD balance of the exploiter was then swapped back to DAI. Origin is offering a $1M bounty for anyone that supplies substantial information or evidence leading to the return of customer funds.

Note: You can find a straightforward example of reentrancy, as well as how to prevent reentrancy, in Consensys’ Smart Contract Best Practices. For flash loan information and prevention, checkout Prevent Flash Loan Attacks.

Pickle Jar went bad

An attacker drained 19 million DAI from pickle.finance’s pDAI Jar (which is a forked version of Yearn Vaults v1) by utilizing several flaws with a public function earn():

• No whitelist of official jars
• Allow `_target` and `_data` without checks
• Using `delegatecall` in an unchecked function

Altogether, the attacker created “evil” jars where they could withdraw cDAI to their evil jar, inject their `data` into parameters to call their malicious contract and send the cDAI to the evil jar’s Controller, which was then used to transfer funds to the attacking smart contract. Once complete, the attacker redeemed their cDAI for DAI. COVER Protocol had their first claim from the Pickle hack and 282,035 DAI is redeemable for payout.

The Week’s Links

• Geth security release — UPDATE NOW
• Go Ethereum Security Advisories — GitHub
• So you want to use a price oracle — Samczsun
• Why Proof of Stake — Vitalik
• ETH2 Fork Monitor
• Vyp4r — ANTLR4 Parser for Vyper Language
• Bug Disclosure: Non-deterministic Solidity Transactions — Certora
• Keeping DeFi SAFU: Binance Recovers Over $344,000 from Wine Swap Exit Scam
• Rescuing Schrodinger’s Cat in DeFi Dark Forest — AnChain.AI
• 2 critical consensus-related vulnerabilities by Beacon Fuzz — Update #09
• Solidity 0.7.5 Release Announcement
• Damn Vulnerable DeFi — Setup and Challenge #1 Walkthrough — Peter Kacherginsky
• Popular BSV multisig provides no security at all and eventually the coins all go poof — Reddit
• Inside the FBI’s search for Ross Ulbricht, dark web kingpin of Silk Road — CBSNews
• Ethereum Classic: Bits of the Epoch. Potential Network Instability — 2miners
• 0xPOLAND — Smart Contract Puzzle
• Flashbots: Frontrunning the MEV crisis — Economics — ethresearch
• Percent finance permanent locking of user funds — Percent Finance
• An Update on TREE — WhalerDAO
• From the person who audited WhalerDAO — Carl Farterson
• 88mph MPHMinter contract issue. Funds safe — by 88mphapp

Research Papers

• Taming Callbacks for Smart Contract Modularity
• Modelling Attacks in Blockchain Systems using Petri Nets
• Evil Under the Sun: Understanding and Discovering Attacks on Ethereum Decentralized Applications
• ModCon: a model-based testing platform for smart contracts
• Tracking Counterfeit Cryptocurrency End-to-end
• A Survey of ECDSA Threshold Signing
• An Improvement of ECDSA Weak Randomness in Blockchain
• Fraudulent Behaviour Identification in Ethereum Blockchain
• A Survey on Vulnerability Detection Tools of Smart Contract Bytecode
• Static Analysis of eWASM Contracts
• More Efficient Amortization of Exact Zero-Knowledge Proofs for LWE
• Shorter Lattice-Based Zero-Knowledge Proofs via One-Time Commitments
• SoK: Cyber-Attack Taxonomy of Distributed Ledger- and Legacy Systems-based Financial Infrastructures

If you enjoy this newsletter please share it with your friends, or ask them to sign up here Smart Contract Security Newsletter

This issue of the newsletter is brought to you by Shayan Eskandari and Carl Farterson.