Hyacinth Friday Periodical #7: UwU Lend and Kraken Exploits
Happy Friday readers! We wanted to spend this periodical taking a deeper dive into a couple security breaches from the last couple of weeks. These are major exploits and the ripples of these hacks are still reverberating now. We bring this to your attention to emphasize the importance of regular quality audits prior to any update or release.
UWU Lend Hack
Starting off, UWU Lend had a major exploit. The cause of the hack was an issue with the price oracle. As noted by Peckshield, the sUSDe asset is priced from multiple sources. The hack involved manipulating several of the assets within the basket of stable coins to affect the reliability of the price oracle. Specifically, FRAXUSDe, USDeUSDC, USDeDAI, USDecrvUSD, and GHOUSDe. The hack affected as much as 19.4 million USD and the attacker transaction can be found here.
To elaborate, the asset sUSDe was manipulated by 4% which allowed for the attacker to borrow at $0.99. When the price overcorrected to $1.03, this created a string of liquidations, which the attacker benefited from. UwU, like many protocols and banks, uses a practice known as rehypothecation. In short, the bank internally uses funds it has the rights to due to collateralization internally. This leverages the portfolio of the protocol and can create massive fallout if a liquidation cascade occurs.
This exploit was made possible because sUSDe uses a median of 11 price feeds. While in theory, this sounds like it’s secure, it actually is not due to low liquidity in roughly half of these feeds. Due to the chosen five weak feeds, manipulating just one of the strong feeds could sway the median price. Had they relied solely on strong feeds, this would have dramatically increased the cost basis for manipulation. By using stronger feeds In combination with price smoothing and weighted mechanisms, the attack could have been avoided while keeping the oracle accurate.
A visualization of the flow of funds from the audit can be found here: https://metasleuth.io/result/eth/0xF19D66E82Ffe8E203B30dF9E81359F8a201517ad
Kraken Exploit
As of Wednesday, there was a major exploit with Kraken in which 3 million USD of crypto was deposited to an account over several transactions.
At the time, Kraken did not want to comment on the security firm which initiated the hack, but Certik came out publicly and spoke about the hack from their end. Kraken and Certik, as well as many of us on the sidelines have our own opinions on how the hack was implemented, however fortunately no user funds were affected in the process.
The security researcher from Certik stated that they were checking to determine if the following three questions were possible:
1/ Can a malicious actor fabricate a deposit transaction to a Kraken account?
2/ Can a malicious actor withdraw fabricated funds?
3/ What risk controls and asset protection might be triggered by a large withdrawal request?
After they conducted their security testing, they came to the conclusion that Kraken’s deposit system failed these tests. They demonstrated that “millions of dollars can be deposited into any Kraken account,” “A huge amount of fabricated crypto (worth more than 1M+ USD) can be withdrawn from the account and converted into valid cryptos,” and “no alerts were triggered during the multi-day testing period.” (source)
The team at Kraken has responded by stating “[they] are treating this as a criminal case and are coordinating with law enforcement agencies accordingly (source).” Noting that the lack of transparency and responsiveness of the research was unacceptable. Kraken claims that their bug bounty program has three simple rules:
1. Do not exploit more than you need to in order to prove the vulnerability.
2. Show your work (i.e. provide a proof of concept)
3. What you extract you return immediately
The team at Kraken has noted that the initial exploit of $4 of fabricated crypto was all that was necessary to demonstrate proof of concept for the exploit and to receive a sizable bounty as reward. The details of this exploit are still unfurling, but it has many people in the crypto industry as well as web3 security buzzing online. For good reason, as this goes far beyond the scope of what is necessary to operate as a whitehat hacker. If it is true that the exploiter who deposited $4 then told two other wallets which carried out the $3M, then there is really no grey area here. The subsequent exploit was completely unnecessary.
Audit Updates
This periodical isn’t all doom and gloom, we have also had a couple of updates on our end since the last article.
First, one of our most prolific auditors OxWeiss completed a full codebase audit with Yeet, a memecoin on Berachain. Thanks to the audit, they found 15 vulnerabilities — three of which were critical — and they were all resolved. This is the power of getting a quality audit. I’m sure they’re really happy and feel confident about their move to mainnet. You can read the audit report below.
We also completed an audit with Magic Beans!
Magic Beans is an innovative on-chain escrow system that facilitates over-the-counter trading of assets on Solana. When you’re dealing with OTC trading, its crucial that the technology is well audited to facilitate trustless movement of assets. Fortunately, thanks to the audit by Jakub Heba, Magic Beans was able to find & resolve 14 vulnerabilities. If you’re interested in the full scope of the audit, the report can be found below.
Conclusion
Thanks for reading, we hope that you found our deep dive informative and interesting. If you are building something and would like to prevent similar hacks, or any exploit, from harming to your project, please reach out to Hyacinth Audits at tthomas@hyacinthaudits.xyz or post your own bounty so we can match you with the best auditor for your project!
