Analyzing the ARTH Leverage Bugfix — April 14, 2022
On April 13, 0xdieman submitted a critical vulnerability as part of MahaDAO Protocol’s bug bounty, which if exploited by a malicious user could have repeatedly drained ~500k USDT, potentially de-pegged ARTH and caused some negative sell pressure on MAHA. Following the bug submission, the core team paused the vulnerable collaterals, patched the bug and restarted the collaterals.
As part of the MahaDAO Bug Bounty program, the 0xdieman was rewarded a 20,000 MAHA (or ~$80,000 at current market price) bounty reward for the severity of the vulnerability.
We’d like to thank 0xdieman for his responsible disclosure and also would encourage more developers/white-hats to participate in the MahaDAO’s bug bounty program and to help secure the protocol.
There were no loss of funds and together we were able to make the protocol even more resilient. In the remainder of this post we go into detail about the actual bug.
The Problem
MahaDAO’s ARTH is a stablecoin that offers an inflation-proof currency. As a stablecoin, lending is one of the core use cases of ARTH. Along with that, the ARTH leverage feature offers a mechanism for users to take leverage to increase exposure to the underlying assets. These assets can be single token assets, such as BNB, ETH, or double token assets such as LP tokens on the various DEXes.
The vulnerability in question is linked to the oracles behind the LP tokens and the way the price was calculated. LP oracles are the most common targets for flash loan manipulation.
By manipulating the oracle price, it’d allow an attacker to mint/burn ARTH at heavily skewed rates which would then allow the attacker to make profitable arbitrages thereby draining all the liquidity in the ARTH pools.
The Solution
The MahaDAO core activated the emergency stop switch which is a 3/5 multi-sig and temporarily halted the leverage functionality for LP tokens.
New oracles with TWAP and right function calls will be deployed.
The fix has been created and will be implemented live in the coming hours. After a through re-test and audit, leverage will be live again.
Concluding Thoughts
MahaDAO thanks 0xdieman for ethically reaching out to us & reporting the bug in a responsible. We are happy to reward him with 20,000 MAHA tokens upfront.
We’d like to encourage other whitehat hackers to help make the MahaDAO protocol more secure.
This is a true sign of decentralization, a true sign of a project that wants to build better & build for the people. We look forward to making the protocol more secure & less vulnerable to attacks. This is yet another step in that direction.
About MahaDAO
MahaDAO is a community-powered, decentralized autonomous organization on a mission to empower billions to preserve their purchasing power through the world’s first valuecoin, ARTH.
