ArmorFi Bug Bounty Postmortem

Many post-mortems in DeFi are sad because they’re written up in reaction to users losing millions from an exploited project. This, however, is a happy one. On January 30, Alexander Schlindwein, CTO of Ideamarkets, submitted a critical bug to Immunefi for ArmorFi’s smart contract code. Armor, which had joined the Immunefi platform about a week prior, had just upgraded the size of its bug bounty to 1,000,000 mostly vested $ARMOR tokens, and the upgrade was too tempting to ignore.

In other words, the bounty went from about $23,000 USD to $700,000 USD, and within about a day, a critical vuln landed in our inbox.

Starting at around 5 a.m. PST, our CTO began assessing the severity of the vulnerability: it was real, and if exploited, would have been a total wipeout for Armor. The Immunefi team worked with Armor (“you up?”) to communicate the details of the bug and work out a fix. With criticals and with smart contracts in particular, the danger is normally heightened because the code is public. Fortunately, in this case, the contract in question had yet to be deployed.

The way this vulnerability works is relatively simple: some user with coverage makes a claim against a coverage pool in Armor, presumably after suffering some sort of event covered by the policy.

However, rather than withdrawing the amount of the policy, the exploit allows them to get 10^18 as much as they purchased. A single dollar worth of coverage could have enabled a malicious attacker to withdraw far more assets than available.

In ClaimManager.sol, line 62 uint256 payment = _amount * 10 ** 18; should not have been present in the contract.

The call on line 64, msg.send.transfer(payment), sends an amount of WEI to the target contract. The amount it sends is specified in WEI. The variable “_amount” is already in WEI. This value was mistakenly treated as a value in ETH instead, even though it was already in WEI. This redundant conversion made the withdrawal figure far too large — specifically 10^18 too large because one ETH is 10^18 WEI. With this information in hand, line 62 was deleted from the codebase and the problem solved.

This successful disclosure is an excellent proof of concept of how bug bounties can function in the smart contract space. Moreover, it achieved three important objectives. First, it solved a critical vulnerability that stood a good chance of being exploited on some timeline. Second, Armor has the opportunity to review its code and security processes more closely. And third, the community reacted overwhelmingly positive to Armor taking security seriously with its bug bounty program and successful payout. As of publication, the current value of the bounty is $876,000 USD.

The system is working as intended and will continue to do so.

If you’re interested in joining the Immunefi platform with a bug bounty, fill out the form on our services page, and we’ll bring you on board.

If you’re interested in having your story written up like this, now is the time to get started hunting for bugs.

P.S. Hackers subscribed to our newsletter are 35.8% more likely to earn a bug bounty. Click here to sign up.