Summary
Many bugfix reviews in DeFi are sad because they’re written up in reaction to users losing millions from an exploited project. This, however, is a happy one. On January 30, Alexander Schlindwein, CTO of Ideamarkets, submitted a critical bug to Immunefi for Armor’s smart contract code. Armor, which had joined the Immunefi platform about a week prior, had just upgraded the size of its bug bounty to 1,000,000 mostly vested $ARMOR tokens, and the upgrade was too tempting to ignore. At the time of report, this was worth $1,500,000.
Starting at around 5 a.m. PST, our CTO began assessing the severity of the vulnerability: it was real, and if exploited, would have been a total wipeout for Armor. The Immunefi team worked with Armor (“you up?”) to communicate the details of the bug and work out a fix. Fortunately, in this case, the contract in question had yet to be deployed.
Vulnerability Analysis
The way this vulnerability works is relatively simple: some user with coverage makes a claim against a coverage pool in Armor, presumably after suffering some sort of event covered by the policy.
However, rather than withdrawing the amount of the policy, the exploit allows them to get 10^18 as much as they purchased. A single dollar worth of coverage could have enabled a malicious attacker to withdraw far more assets than available.
In ClaimManager.sol, line 62 uint256 payment = _amount * 10 ** 18; should not have been present in the contract.
The call on line 64, msg.send.transfer(payment), sends an amount of WEI to the target contract. The amount it sends is specified in WEI. The variable “_amount” is already in WEI. This value was mistakenly treated as a value in ETH instead, even though it was already in WEI. This redundant conversion made the withdrawal figure far too large — specifically 10^18 too large because one ETH is 10^18 WEI.
Vulnerability Fix
With this information in hand, line 62 was deleted from the codebase and the problem solved.
Acknowledgements
This successful disclosure is an excellent proof of concept of how bug bounties can function in the smart contract space. Moreover, it achieved three important objectives. First, it solved a critical vulnerability that stood a good chance of being exploited on some timeline. Second, Armor has the opportunity to review its code and security processes more closely. And third, the community reacted overwhelmingly positively to Armor taking security seriously with its bug bounty program and successful payout. As of publication, the current value of the bounty is $876,000 USD.
If you’d like to start bug hunting, we got you. Check out the Web3 Security Library, and start earning rewards on Immunefi — the leading bug bounty platform for web3 with the world’s biggest payouts.
If you’re interested in joining the Immunefi platform with a bug bounty, fill out the form on our services page, and we’ll bring you on board.
