DFX Finance Rounding Error Bugfix Review

Summary

On April 28, 2023, a whitehat with the pseudonym perseverance submitted a critical vulnerability to DFX Finance via Immunefi, which consisted of a rounding error with the EURS token due to the non-standard decimal value of two. At the time of the submission, $237,143 was in the vulnerable pool and at risk of being stolen by a malicious hacker.

However, DFX Finance quickly took measures to remediate the bug after receiving perseverance’s report. No user funds were lost. This bug was isolated to the EURS token and did not affect any other tokens that DFX currently supports.

DFX Finance paid out a bounty of 100,000 USDT to the whitehat.

Immunefi is pleased to have facilitated this responsible disclosure with our platform. Our goal is to make web3 safer by incentivizing hackers to responsibly disclose bugs and receive clean money and reputation in exchange.

This bugfix review was written by Immunefi triager, Alejandro Muñoz-McDonald.

DFX Finance Introduction

DFX Finance is a decentralized foreign exchange (FX) protocol. DFX Finance creates a decentralized marketplace where users can swap non-USD stablecoins pegged to various foreign currencies, such as CADC, EUROC, XSGD, and more. These types of exchanges also typically incentivize liquidity providers to supply capital by offering yield on funds deposited.

The design uses an automated market making mechanism (AMM) to allow the exchange to operate in a decentralized way. The AMM exchanges tokens according to a bonding curve, which is dynamically adjusted according to real world price feeds from Chainlink. Each currency is paired with USDC, which is treated as a bridge currency in the DFX AMM between all other stablecoins.

AMMs allow these stablecoins to be traded directly via the AMM in a permissionless way, in contrast to a peer to peer model where buyers and sellers are matched from an order book. There are two major parts to the DFX protocol: Assimilators and Curve. Assimilators allow the AMM to handle pairs of different values, while also integrating reported oracle prices for respective currencies. Curve allows the custom parametrization of the bonding curve with dynamic fee, price scaling, and more.

Decentralized Exchange

Assimilators are necessary when dealing with pairs of different values, which is core to DFX protocol as all assets are paired with USDC. The AssimilatorV2 contract is responsible for converting all amounts to a numeraire, or a base value used for computations across the protocol. DFX Finance maintains the assimilators which integrate with Curve to provide proportional liquidity to pools. When users would like to provide liquidity to a pool to receive yield on their stablecoins, they call the deposit function on the Curve pool and receive liquidity provider (LP) tokens in return representing their proportion of the underlying asset they deposited.

When a user deposits EURS, the function checks if the deposit amount is greater than zero, and then delegates most of the logic to the library call ProportionalLiquidity.proportionalDeposit.

Within the proportionalDeposit function, the curve pool calls to the AssimilatorV2 contract intakeNumeraireLPRatio to calculate the corresponding amount of euros to transfer from the user, which is calculated on line 145, based on the LP ratio passed to the function.

After the transfer of the deposit is handled in the intakeNumeraireLPRatio function and liquidity is transferred from the user to the contract, the proportionalDeposit function mints the number of LP tokens which represents the users’ share of the pool. Finally, the deposit function returns the value of deposits and shares minted.

Vulnerability Analysis

DFX Finance’s contracts contained a vulnerability that stemmed from the calculation of the transfer amount within the AssimilatorV2 contract on line 145. The issue arises when the _rate exceeds the numerator value, resulting in an integer division that leads to zero tokens being transferred from the user. Despite transferring zero tokens, the user still receives curve tokens which represent their portion of the curve pool. To exploit this, an attacker would deposit a minuscule amount of tokens, causing the transferred amount to be zero while still receiving minted curve tokens in exchange for the small proportion of tokens “deposited”.

Typically, tokens have at least six decimals, which limits the potential profit to an amount lower than would be spent on gas for the transaction. However, the EURS token on the Polygon network has only two decimals. By utilizing the EURS token and repeatedly depositing a small amount (around 10,000 times) within a single transaction, an attacker can generate a profit of approximately 172 EURO or 190 USDC per attack by withdrawing the minted curve tokens. At the time of submission, the vulnerable pool had a balance of $237,143 USD, which could have been stolen by an attacker progressively acquiring a larger portion of the pool through successive attacks.

Proof of Concept (PoC)

The Immunefi team prepared the following PoC to demonstrate the vulnerability.

Vulnerability Fix

DFX Finance fixed the issue by deploying a new version of the AssimilatorV2 contract and added a require statement which checks the amount to be transferred from the user is greater than zero. The existing Curve pool was migrated to using the new Assimilator.

Acknowledgements

We would like to thank perseverance for doing an amazing job and responsibly disclosing such an important bug. Big props also to the DFX Finance team who responded quickly to the report and patched the bug.

If you’d like to start bug hunting, we got you. Check out the Web3 Security Library, and start earning rewards on Immunefi — the leading bug bounty platform for web3 with the world’s biggest payouts.

And if you’re feeling good about your skillset and want to see if you will find bugs in the code, check out the bug bounty program from DFX Finance.