Immunefi Bug Find, Post-Mortem, & Bounty Program

Summary

On July 30, 2021 representatives of the Immunefi bug bounty platform reached out to Teller Finance on behalf of a whitehat hacker to disclose a critical bug in one of the Teller smart contracts for the TDAI token. The vulnerability was fixed within two hours of being reported and before any malicious actors could exploit it. All funds are, and continue to be SAFU.

The uncovered vulnerability essentially would have allowed any malicious actor to initialize the underlying beacon proxy of the TToken contract to point to their own contract and allow them in turn to call the selfdestruct() function in their contract. This would render funds in the TDAI token inaccessible. Teller Finance fixed the vulnerability by initializing the beacon proxy, so that it could not be exploited by any potential malicious actors.

Teller, DeFi’s Credit Protocol

Teller is an algorithmic credit risk protocol, built to enable the creation of decentralized lending markets that can offer unsecured loans. The protocol’s unique cloud-based infrastructure can connect to, and privately compute credit and banking data to generate individual loan terms based on a users’ creditworthiness. Teller Protocol was designed to develop decentralized loan products, without collateralized debt, reducing consumer risk and costs. Teller can interoperate with centralized finance data, offering everyone the freedom to develop a new wealth of trustless financial instruments.

Vulnerability Analysis

As noted above, Immunifi reached out to Teller Finance on Jul 30, 2021for help with disclosure assistance — a public service that Immunifi provides to whitehats and the DeFi community. When a vulnerability in a project is discovered but no bug bounty exists, Immunefi facilitates disclosure between the whitehat and the vulnerable project, supporting the process in whatever capacity that is required.

What was the issue?

The vulnerability had to do with the TDAI beacon proxy implementation contract not being fully initialized during deployment.

The TToken contract deployment script takes the following steps:

1. Deploy InitializeableBeaconProxy & Implementation Logic Contracts (neither of these contracts should be interacted with directly)
2. Deploy UpgradeableBeaconBFactory with constructor arguments using contracts from Step 1)
3. The UpgradeableBeaconFactory create a Minimal Proxy that points to the InitializeableBeaconProxy deployed in Step 1)
4. The UpgradeableBeaconFactory initializes the newly created Minimal Proxy_Initializeable Beacon Proxy (from Step 3) with it’s own address which tells it which Implementation Logic Contract to use.

The Vulnerability:

1. The original InitializeableBeaconProxy for the TDAI contract was not initialized during the setup script steps.
2. If left unchecked, any malicious actor could have initialized it with a contract that has an external function implementation() -> address that returns a contract address containing ANY function with the selfdestruct() function in it and then call it.
3. The original Initializeable Beacon Proxy contract would then be destroyed, rendering the Minimal Proxy (from Step 3 in the setup) useless since it’s hardcoded implementation address is the Initializeable Beacon Proxy and cannot be changed.

Immediate Vulnerability Fix

The fix was to initialize the original InitializeableBeaconProxy with any 0x0…1 address so that it could not be initialized by anyone using a malicious address.

function initialize(address beacon, bytes memory data) external payable {
assert(
_BEACON_SLOT ==
bytes32(uint256(keccak256(“eip1967.proxy.beacon”)) — 1)
);
require(_beacon() == address(0), “Beacon: already initialized”);
_setBeacon(beacon, data);
}

Teller Finance deployed the fix on Jul 30, 2021 at 10:59 pm UTC.

Long Term Solutions for Vulnerability Mitigation

Teller Finance will be implementing more stringent controls on deployment and upgrade procedures, as well as in-depth defensive programming techniques and automated tooling that will ensure smart contract state during deployment and when any public methods are called.

Teller Finance and Immunefi Bug Bounty Program

Teller Finance is partnering with Immunefi to offer standing bounties for white hat hackers and to provide clear channels for vulnerability disclosure.

Bug bounties can be submitted to the Immunefi platform here.

Acknowledgments

The team at Teller Finance would like to sincerely thank Immunefi for helping to swiftly facilitate the disclosure and coordinate an effective response. Bug bounties are essential to our efforts to continue delivering the most reliable platform to our users.