On August 18, 2023, according to Beosin-Eagle Eye Situational Awareness Platform, Exactly Protocol, a DeFi lending protocol on the Optimism chain, was hacked, with the hacker profiting over 7 million USD.
After the attack, Exactly Protocol stated on social media that they are trying to communicate with the attacker to return the stolen assets and have reported the incident to the police.
Three days later, on August 21, Exactly Protocol announced that the protocol has been resolved and users can perform all operations without any liquidation. For clarity, the hack only affected users who used the peripheral contract (DebtManager). Users who did not use this contract suffered no loss, and the protocol is still operating normally.
The Beosin security team analyzed the incident immediately, and the results are as follows.
- List of Top Ten Winning Projects at ETHGlobal Superhack 2023
- What is ‘friend tech’? What is the significance of LianGuairadigm’s blessing?
- LD Capital Changes and Impact of GMX V2
Relevant Information about the Incident
● Attacking Transactions
0x3d6367de5c191204b44b8a5cf975f257472087a9aadc59b5d744ffdef33a520e
0x1526acfb7062090bd5fed1b3821d1691c87f6c4fb294f56b5b921f0edf0cfad6
0xe8999fb57684856d637504f1f0082b69a3f7b34dd4e7597bea376c9466813585
● Attacker’s Address
0x3747dbbcb5c07786a4c59883e473a2e38f571af9
● Attacking Contracts
0x6dd61c69415c8ecab3fefd80d079435ead1a5b4d
0x995a24c99ea2fd6c87421d516216d9bdc7fa72b4
● Attacked Contract
0x16748cb753a68329ca2117a7647aa590317ebf41
Vulnerability Analysis
Multiple market address parameters in the vulnerable contract can be manipulated. The attacker successfully bypassed the permit check by passing in a malicious market contract address and executed the malicious deposit function, stealing users’ collateral USDC and liquidating their assets, ultimately achieving the attacker’s profit goal.
Attack Process
Using the transaction 0x3d6367… as an example
Attack Preparation Phase:
1. The attacker created multiple malicious market contracts
Attack Phase:
1. The attacker called the leverage function of the vulnerable contract, passing in a forged market contract address. Due to the lack of validation for the market address, the permit check was bypassed, and the _msgSender was changed to the victim’s address, preparing for step 3 to steal the victim’s assets.
2. The leverage function will continue to call the deposit function in the malicious market contract, thereby executing the attacker’s malicious code.
3. The malicious code in the deposit function first creates a pool for the malicious token/USDC, and then re-enters the crossDeleverage function of the vulnerable contract. Since both marketIn and marketOut can be controlled, the V3 pool calculated by the crossDeleverage function is ultimately the one created by the attacker.
4. At this point, because _msgSender has been modified to the victim, the crossDeleverage function further calls the swap function of the V3 pool created by the attacker for flash loan, and transfers the victim’s funds to the V3 pool in the callback function uniswapV3callback.
5. The attacker removes liquidity and steals the victim’s funds from the V3 pool.
6. As the victim’s collateral funds are transferred away, meeting the liquidation conditions, the attacker further liquidates the victim’s position and gains more profits.
Funds Tracking
As of the time of writing, the stolen funds have been cross-chain transferred to Ethereum through the Optimism bridge and Across Protocol.
Summary
In response to this incident, the Beosin security team suggests:
It is recommended to add a whitelist function for the contract addresses used as token credentials to avoid malicious manipulation.Currently, Beosin has conducted security audits on multiple projects on the Optimism chain, such as DIPX, etc. Therefore, Beosin recommends that before the project goes live, choose a professional security audit company to conduct a comprehensive security audit to mitigate security risks.
Like what you're reading? Subscribe to our top stories.
We will continue to update Gambling Chain; if you have any questions or suggestions, please contact us!
