Published in


Hack Analysis: Saddle Finance, April 2022



Root Cause

dy = xp[tokenIndexTo].sub(y).sub(1);
dyFee = dy.mul(self.swapFee).div(FEE_DENOMINATOR);
dy = dy.sub(dyFee).div(self.tokenPrecisionMultipliers[tokenIndexTo]);
Snippet 1: Patched MetaSwapUtils Segment

Proof of Concept

Snippet 2. The start of our attack contract
Snippet 3. Contract Entry Point and Flash Loan
Snippet 4. Swapping USDC for sUSD
Snippet 5. Swapping sUSD for LP Tokens
Snippet 6. Swapping LP Tokens for sUSD
Snippet 7. Swapping sUSD for USDC


Snippet 8. Entire Saddle Attack



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store

Immunefi is the premier bug bounty platform for smart contracts, where hackers review code, disclose vulnerabilities, get paid, and make crypto safer.