Immunefi
Published in

Immunefi

ArmorFi Bug Bounty Postmortem

Many post-mortems in DeFi are sad because they’re written up in reaction to users losing millions from an exploited project. This, however, is a happy one. On January 30, Alexander Schlindwein, CTO of Ideamarkets, submitted a critical bug to Immunefi for ArmorFi’s smart contract code. Armor, which had joined the Immunefi platform about a week prior, had just upgraded the size of its bug bounty to 1,000,000 mostly vested $ARMOR tokens, and the upgrade was too tempting to ignore.

In other words, the bounty went from about $23,000 USD to $700,000 USD, and within about a day, a critical vuln landed in our inbox.

Starting at around 5 a.m. PST, our CTO began assessing the severity of the vulnerability: it was real, and if exploited, would have been a total wipeout for Armor. The Immunefi team worked with Armor (“you up?”) to communicate the details of the bug and work out a fix. With criticals and with smart contracts in particular, the danger is normally heightened because the code is public. Fortunately, in this case, the contract in question had yet to be deployed.

The way this vulnerability works is relatively simple: some user with coverage makes a claim against a coverage pool in Armor, presumably after suffering some sort of event covered by the policy.

However, rather than withdrawing the amount of the policy, the exploit allows them to get 10^18 as much as they purchased. A single dollar worth of coverage could have enabled a malicious attacker to withdraw far more assets than available.

In ClaimManager.sol, line 62 uint256 payment = _amount * 10 ** 18; should not have been present in the contract.

The call on line 64, msg.send.transfer(payment), sends an amount of WEI to the target contract. The amount it sends is specified in WEI. The variable “_amount” is already in WEI. This value was mistakenly treated as a value in ETH instead, even though it was already in WEI. This redundant conversion made the withdrawal figure far too large — specifically 10^18 too large because one ETH is 10^18 WEI. With this information in hand, line 62 was deleted from the codebase and the problem solved.

This successful disclosure is an excellent proof of concept of how bug bounties can function in the smart contract space. Moreover, it achieved three important objectives. First, it solved a critical vulnerability that stood a good chance of being exploited on some timeline. Second, Armor has the opportunity to review its code and security processes more closely. And third, the community reacted overwhelmingly positive to Armor taking security seriously with its bug bounty program and successful payout. As of publication, the current value of the bounty is $876,000 USD.

The system is working as intended and will continue to do so.

If you’re interested in joining the Immunefi platform with a bug bounty, fill out the form on our services page, and we’ll bring you on board.

If you’re interested in having your story written up like this, now is the time to get started hunting for bugs.

P.S. Hackers subscribed to our newsletter are 35.8% more likely to earn a bug bounty. Click here to sign up.

--

--

--

Immunefi is the premier bug bounty platform for smart contracts and DeFi projects, where security researchers review code, disclose vulnerabilities, get paid, and make crypto safer. Immunefi removes security risk through bug bounties and comprehensive security services.

Recommended from Medium

What is modern, private chat and why do you need it?

Frontier Wallet Adds Support for Harmony ONE Token and Staking Added to Frontier Wallet for Android

Bug: IDOR [ INDIRECT OBJECT REFERENCE ] in edit user information Field

How to Give Your Laptop a Spring Clean

Achieving GDPR Compliance with YugabyteDB — The Distributed SQL Blog

{UPDATE} 123 niños de Abc rompecabezas Hack Free Resources Generator

{UPDATE} Who Sang the Song? Hack Free Resources Generator

How will GDPR affect Estate Agents?

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Immunefi

Immunefi

Immunefi is the premier bug bounty platform for smart contracts, where hackers review code, disclose vulnerabilities, get paid, and make crypto safer.

More from Medium

Introduction To ERC Token Standards — Part 1

Ronin Exploit, Largest Crypto Hack to Date

Weekly Blockchain Security Report by Fairyproof- Mar 21 to Mar 27

Damn Vulnerable DeFi Challenge #10 Solution — Free rider