Immunefi
Published in

Immunefi

Fei Protocol Vulnerability Bugfix Review

Summary

On April 6, 0xRevert submitted a critical vulnerability as part of Fei Protocol’s bug bounty on Immunefi, which if exploited by a malicious user could have repeatedly drained ~1410 ETH from the WETH/FEI pool on Uniswap. Following the bug submission, Fei introduced a temporary mitigation that pauses minting of rewards until a more permanent fix can be implemented.

For this find, Fei Protocol is awarding 0xRevert a $300,000 bug bounty at this time.

Vulnerability Analysis

Fei Protocol is a fully decentralized, algorithmic stablecoin designed to keep FEI pegged to USD at a 1:1 ratio. Fei Protocol uses a system of reward and penalty incentives through minting and burning according to the distance from the peg to maintain the peg price. Rewards only apply when buying FEI below the peg. Penalties apply when selling FEI below the peg.

In this case, assuming a situation where the FEI price is below the peg, a malicious user could purchase FEI, pushing the price not just back to the 1:1 peg, but above the peg, receiving some amount of FEI as a buy reward in the process. The user could then drip the FEI back into the Uniswap pool via a transfer (not a swap), which bypasses the burn penalty, and finally convert the FEI to WETH with a swap. The end result is that the attacker receives a WETH from the pool without having (net) sold any FEI.

The exploit can be illustrated in the following steps.

  1. User uses the UniswapV2Pair.swap method to trade WETH for FEI from the Uniswap liquidity pool. This swap pushes FEI up to the peg, and continues to push the price above the peg. On top of the “normal” amount of FEI purchased, the user also receives a reward pushing FEI up to the peg. There is no disincentive for driving the price above the peg.
  2. The Fei.transfer method, which is a normal ERC-20 transfer and not a swap, drips the FEI back from the attacker contract into the Uniswap pair. Under normal conditions, the first transfer would return the price to the peg, and the second one would return the price below the peg, thus incurring a burn penalty for bringing the price below the peg. However, the definition of ‘selling below the peg,’ which is the condition that would trigger a burn, is computed using the reserves of the Uniswap pair. But since the Uniswap pool doesn’t update its reserves until you attempt a swap, those transfers aren’t penalized for driving the price below the peg.
  3. The user then calls the UniswapV2Pair.swap method again to get back the WETH that was originally swapped for FEI. UniswapV2Pair.swapis a low-level method which interacts with the Uniswap pair directly instead of using the normal router interface. This accomplishes two things. First, it updates the reserve amounts in the Uniswap pool, restoring the price to its original value below the peg. Second, it cashes the attacker out in WETH. The amount of WETH returned is larger than the amount of WETH sold in step 1. The final result is that the attacker makes a riskless profit at the expense of the Uniswap liquidity providers by collecting buy rewards and bypassing sell penalties.

While you do incur swap fees using UniswapV2Pair.swap, the fees are small relative to how much more you make in WETH by avoiding burn penalties when selling FEI. A fairly large amount of WETH is needed for step 1. It is left as an exercise to the reader as to how a user could obtain a sufficient amount of WETH for the purposes of this exploit.

Vulnerability Fix

Fei Labs has temporarily shut down all buy rewards and sell penalties and working on a validation of a proposed permanent fix. When that fix is implemented, rewards for buying FEI to push it back up to the peg will come back online.

Acknowledgements

We’d like to take this opportunity to thank 0xRevert for keeping the DeFi ecosystem secure and saving both users and Fei Protocol from a potentially devastating hack. We’d also like to thank Fei Protocol for taking security and responsibility seriously by hosting a bug bounty program with Immunefi, which is an essential part of the DeFi security stack alongside their audits from OpenZeppelin and ConsenSys Diligence. This is exactly how bug bounties should work. Fei would also like to express its gratitude to Immunefi for hosting and facilitating the bug submission process and writing this postmortem. Immunefi is the immune system of crypto. If you’re interested in protecting your project with a bug bounty, visit the Immunefi services page and fill out the form.

What follows is a proof-of-concept exploit written by Michael McCanna and Duncan Townsend of Immunefi.

In the course of Fei and Immunefi’s examination of this vulnerability, we discovered a variant of this attack that uses EthUniswapPCVController.reweight to restore the FEI price to the peg instead of dripping the FEI back into the Uniswap pool to bypass the sell burn. This attack is made more complex by the requirement that it bypass the faulty nonContract modifier.

What follows is a proof-of-concept exploit written by Joey Santoro of Fei and Michael McCanna and Duncan Townsend of Immunefi.

P.S. Hackers subscribed to our newsletter are 35.8% more likely to earn a bug bounty. Click here to sign up.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Immunefi

Immunefi

Immunefi is the premier bug bounty platform for smart contracts, where hackers review code, disclose vulnerabilities, get paid, and make crypto safer.