Potential Vulnerability — Disclosure (2021–11–18)
- A vulnerability potentially affecting Idle’s integrators was discovered and mitigated within 1 hour.
- This vulnerability could have put funds of Idle Protocol’s integrators at risk. It was not exploited. Deposits in Idle protocol have always been safe.
- A mitigation plan is already in place and the issue removal procedure will be effective next week with IIP-17.
- All funds are safe. No action is required by partners or users.
The Enzyme Finance team notified us regarding a potential vulnerability that was affecting their integration with Idle Protocol.
William, from Dev League, promptly checked the feasibility of the attack, and with the rest of the team immediately initiated the Pause Guardian procedure to dampen any possible malicious outcome on the partners’ side. This procedure mitigated the issue (ETH tx, Polygon tx1, Polygon tx2) on the affected pools. The `deposit` and `rebalance` functions have been temporarily paused on Ethereum, while `redeem` is still available. More details about the Pause Guardian procedure can be found here.
On Polygon, Leagues updated the contracts via multisig, permanently removing Flash Loan functionality. Polygon strategies are already fully operational and there are no potential drawbacks on integrations’ side.
Within the subsequent hours, the Treasury League initiated the vulnerability management policy and informed all Idle integration partners. Subsequently, it disclosed the findings via Idle communication channels.
Details of vulnerability
The vulnerability could have been exploited with the following:
- Target an Idle integrator that uses Idle’s `tokenPrice` as a price feed for determining its vault token value
- Call `flashLoan()` on IdleTokenGovernance contract to temporarily pull off the underlying token supply of the IdleToken. `tokenPrice()` have now a significantly lower value because it depends on the balance of the contract which is now flash loaned
- Mint vault shares from Idle integrator, now at a cheap value due to the reliance on `tokenPrice`
- Return the flash loan amount minus the fee (`tokenPrice` is now back to the normal value)
- Redeem vault tokens from integrator for profit
Details of fix
The related fix changes the `flashLoan` method in a no-op, effectively disabling this functionality.
A more in-depth analysis will be made in the future on a possible fix that would allow flash loans to be offered in the Idle protocol without creating similar issues.
Idle Leagues would like to thank the Enzyme Finance team for promptly informing us about the issue and collaborating with Idle Leagues for its mitigation and disclosure. Idle Leagues will propose to partake in Enzyme’s bug bounty.
We would also like to give credit to the Harvest team for their responsiveness in sharing ideas and analysis regarding the vulnerability and possible outcomes.