Immunefi
Published in

Immunefi

Hack Analysis: Saddle Finance, April 2022

Introduction

Background

Root Cause

dy = xp[tokenIndexTo].sub(y).sub(1);
dyFee = dy.mul(self.swapFee).div(FEE_DENOMINATOR);
dy = dy.sub(dyFee).div(self.tokenPrecisionMultipliers[tokenIndexTo]);
Snippet 1: Patched MetaSwapUtils Segment

Proof of Concept

Snippet 2. The start of our attack contract
Snippet 3. Contract Entry Point and Flash Loan
Snippet 4. Swapping USDC for sUSD
Snippet 5. Swapping sUSD for LP Tokens
Snippet 6. Swapping LP Tokens for sUSD
Snippet 7. Swapping sUSD for USDC

Conclusion

Snippet 8. Entire Saddle Attack

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Immunefi

Immunefi is the premier bug bounty platform for smart contracts, where hackers review code, disclose vulnerabilities, get paid, and make crypto safer.