Midas Exploit Post-Mortem

At 5:35 pm UTC on June 17h, 2023, the isolated pool on Midas Capital aimed at supporting the partners from Ankr and Helio Finance on BNB chain was exploited by an attacker, who drained the platform of $340k worth of assets from the pool. While our efforts to set the necessary risk parameters to avoid worst-case scenarios in terms of loss-of-funds did work and avoided a more devastating exploit, the attacker was able to circumvent some of the limits and security measures we had taken. For now, we have taken the measures necessary to lock the protocol, contact the authorities, and send the hacker a message for a bounty in exchange for the returned funds.

It is worth mentioning that this was a public, permissionless pool.

Pool Set-up, Security Measures, and the Compound Bug

The pool that was exploited was a particularly complex one — while at its core it is a Compound-like pool, it supported a variety of features on top of it aimed at improving its security profile but also allowed it to support a variety of non-standard assets.

A set of assets are particularly important for the hack, namely Solidly-like LP tokens (in this case, these were Thena Exchange LP tokens). These tokens represent a user’s share of the liquidity deposited in a Thena Liquidity Pool. While collateralising LP tokens is becoming a common practice in DeFi, it is still a source of complexity and risk. To mitigate these, we set stringent limits in terms of how much a borrow can be collateralised by such tokens, ranging from $25k to $40k. We further set borrow and supply caps on such and other tokens in the pool (RDNT, ANKR), to avoid exposure to lower liquidity assets.

The very much referenced Hundred Finance Hack in our case was also discussed internally and a fix was implemented for it right away (here’s the commit, the day after the exploit was announced). Unfortunately, this fix was not enough to prevent the inflation attack mechanism. In some very specific cases in which LP tokens have very low denomination (e.g. $1 worth of Thena LP tokens can be as little as 1e-12 tokens), the fix prevented assets to be deposited and withdrawn from the pool. The solution we came up with, which left the pools open to the vulnerability came a few days later.

Apart from the vulnerability itself, the attacker was able to also circumvent the borrow limits by ingeniously exploiting the fact that another asset (ANKR) did not have a borrow limit in terms of ankrBNB. With a set of flash loans, the attacker was able to leverage their minted collateral to acquire ANKR, deposit it into the pool, and borrow the ankrBNB in the pool.

The Exploit, Detailed

The exploit consisted of two parts that were unique for Midas and dependent on the pool configuration of risk parameters. The first pillar of the exploiter's actions was the ability to supply collateral that they could redeem in the end, even if this collateral is used to collateralize borrows. For this purpose, they implemented a special smart contract that they had named borrower and was at the address 0xd2094b870D80Cfb7DaDa4893aD0030d642CA9f72.

In the first phase, this address held the 1001 wei total supply of the HAY/BUSD market cTokens. This was done by using the root attack contract to mint and supply 21,184 LP tokens and then redeeming from the market all but 1001 wei of cTokens. The hacker then donated to the market the redeemed 21,184 LP tokens, transferred the total supply of 1001 weiLP tokens to the borrower and then from the borrower contract used the flash loaned ANKR to borrow the $25k of HAY and 1,148 ankrBNB that he then swapped from the root attack contract for BUSD and with those assets then minted 259,826.61 HAY/BUSD LP tokens at a total value of approx $519k, which they also donated to the market. The assets behind these LP tokens come from the initial own funding of the hacker ($220k worth of HAY and $22.3k of BUSD) and the borrows from Ankr-Helio pool assets (ankrBNB that is swapped for $251k of BUSD and $25k worth of HAY). The reason why these 1001 wei were redeemable for such a large amount is the core of the hack.

The hacker was able to borrow these assets from the Ankr-Helio pool because they supplied $689k worth of ANKR collateral that they flash-loaned from Thena and PancakeSwap. They also borrowed 115 ankrBNB (worth approx $28.7k) from the pool and supplied it back from another contract (let’s call it the liquidator). This step effectively bypassed one of the key security features we had implemented, namely debt ceilings on the amount borrowable of ankrBNB collateralised by HAY/BUSD LP Tokens.

With this fresh collateral that is behind 1001 wei of cTokens (worth around $519k) they were able to borrow some smaller amount of ANKR from the pool (worth around $13.5k) to repay the flash loan fees, so they went ahead and redeemed the supplied $689k worth of ANKR, leaving their account in the pool with $519k worth it of collateral and $320k worth of debt. They repaid the flash loan and ended their first transaction of the exploit by withdrawing 519.13 LP tokens for just 1 wei of the market cToken. Why 519.13 of the currently held by the market 259,826.61 LP tokens? Because 519.13 is 0.1998% = 1.998 wei of the 1001 total supply - rounded down to just 1 wei, instead of up to 2 wei(this is where the bug lies).

Now after the flash loan transaction is over, in the second phase the transactions keep looping over to do a simple action — provide HAY/BUSD LP tokens of an amount that is equal to 1 wei for cTokens and withdraw LP tokens that are equal to 1.998 wei of cTokens — rounded down to just 1 wei.

The final part involves instead self-liquidations. When the value of the chipped LP tokens came to around $30k, they used 90.9 of their 115 supplied ankrBNB to liquidate their own bad debt, seizing the LP tokens and redeeming them for what’s left of them.

Remediation and Future Steps

A final fix for the bug is implemented (here is the commit), and in the meantime, we’ll keep the protocol paused. We’re currently re-evaluating the business proposition of Midas and its strategic direction. While the beauty of isolated pools enabled us to contain the hack to a single pool, this event forced us to re-evaluate the proposition of the permissionless pool design.

While we maintain our focus on supporting all the current partners and ensuring the safety of their funds and the operation of their pools, we will take a strategic decision to shift towards a more secure, permissioned design in which only whitelisted users are allowed to interact with the protocol. A tiered pool structure will further mitigate the risks.