Cointime

Cointime

Download App
iOS & Android

How Was Rubic Protocol Hacked?

Validated Project

TL;DR

On December 25, 2022, the Rubic protocol was compromised, resulting in a loss of over $1.4 million.

Introduction to Rubic

Rubic is a cross-chain technology aggregator for users and dApps that aggregates various blockchains, different DEXs and bridges, and allows for the exchanging of a wide range of assets.

Vulnerability Assessment

The root cause of the vulnerability is that the Rubic protocol incorrectly added USDC tokens to the Router whitelist, resulting in the theft of USDC tokens from the users authorized to the RubicProxy contract.

Steps

Step 1:

Rubic is a DEX cross-chain aggregator, so users on their platform can swap tokens via a function call in the RubicProxy contract.

Step 2:

During this process, it will first determine whether or not the target Router of the necessary call passed in by the user is included in the protocol’s whitelist.

Step 3:

The user-supplied target Router will be called only after the whitelist check, and the calling data will also be supplied by the user.

Step 4:

As USDC tokens were incorrectly added to the whitelist of the protocol, any user could arbitrarily call USDC tokens through the RubicProxy contract.

Step 5:

The perpetrator used this opportunity to call the USDC contract through a function call, in order to transfer the USDC tokens to their address from the users who had authorized to the RubicProxy contract.

Step 6:

In here, you can view one of the attack transactions carried out by the exploiter, in which USDC tokens from multiple users have been transferred to their addresses.

Step 7:

The attacker sent 1,100 ETH worth of the stolen funds to Tornado Cash.

Aftermath

After the incident, Rubic issued a statement confirming the occurrence of the hack and requested users to revoke their access as soon as possible. The team will undertake audits with two independent agencies in the weeks to come, and approximately 49 affected users will be compensated for their loss.

The team further issued another statement to provide a brief summary of the incident.

Solution

While performing smart contract audits can assist in identifying and addressing potential vulnerabilities, they are insufficient to fully prevent a contract from being hacked. Stringent tests should also be run in simulated scenarios to find any potential programming errors or weaknesses in order to guarantee the security and dependability of a smart contract to a greater extent. These tests ought to replicate a range of circumstances and situations that the contract might experience in the real world, including both anticipated and unforeseen circumstances.

Comments

All Comments

Recommended for you

  • BitMine increased its holdings by approximately 138,400 ETH last week, bringing its total holdings to over 3.86 million ETH.

    as of 8 PM Eastern Time on December 7, BitMine's cryptocurrency holdings include: 3,864,951 ETH (an increase of 138,452 ETH compared to last week), valued at approximately $13.2 billion at current prices; 193 BTC, $36 million shares of EightcoHoldings (Nasdaq code: ORBS), and $1 billion in unsecured cash.

  • Robinhood plans to launch altcoin contracts and reduce fees.

    Robinhood announced on Monday plans to attract more high-level, high-volume cryptocurrency traders in the US and EU by launching new features including reduced fees and increased leverage for altcoin futures. The company stated in a release that it has expanded the available fee tiers in the US from three to seven, "offering rates as low as 0.03% for high-volume users." In the EU, users wishing to trade perpetual futures can now trade new pairs of XRP, DOGE, SOL, and SUI, with eligible customers able to trade with up to 7x leverage.

  • Hassett: Trump will release a lot of positive economic news.

     White House National Economic Council Director Hassett: Trump will announce a large number of positive economic news.

  • White House economic advisor Hassett: Interest rates should continue to be lowered.

     White House economic advisor Hassett expressed views on the Federal Reserve, stating that interest rates should continue to be lowered. Regarding how low the rates should be reduced, he said it is necessary to closely monitor the data situation. He also stated that it would be irresponsible to announce interest rate commitments for the next six months at this time.

  • Hyperliquid adds STABLE perpetual contracts

     according to official news, Hyperliquid has newly launched the STABLE/USDC perpetual contract, with up to 3x leverage available.

  • Tether mints 1 billion USDT on the Tron network.

    according to Whale Alert monitoring, at 21:05:18 Beijing time, Tether Treasury minted 1 billion USDT on the TRON network.

  • Paradigm invests $13.5 million in Brazilian stablecoin startup Crown.

    crypto venture capital firm Paradigm announced an investment of $13.5 million in Brazilian stablecoin startup Crown. This round of financing values Crown at $900 million. The BRLV stablecoin created by Crown is pegged to the Brazilian real and fully backed by Brazilian government bonds, becoming the largest emerging market stablecoin globally. Unlike the zero-interest Tether, BRLV offers institutional clients up to 15% Brazilian benchmark interest rate returns, with subscriptions exceeding 360 million reais (approximately $66 million) so far.

  • Binance: Users with at least 250 points can claim a 2000-STABLE airdrop.

    according to official information, users holding at least 250 Binance Alpha points can claim an airdrop of 2000 STABLE tokens on the Alpha event page. If the event is not over, the score threshold will automatically decrease by 10 points every five minutes. Please note that claiming the airdrop will consume 15 Binance Alpha points. Users need to confirm the claim on the Alpha event page within 24 hours, otherwise it will be considered as a waiver of the airdrop.

  • BlackRock submits application to pledge the iShares Ethereum Trust ETF

    Bloomberg analyst Eric Balchunas stated that BlackRock has submitted the formal prospectus (Form S-1) for the iShares Staked Ethereum Trust ETF to the U.S. SEC, which will become its fourth crypto-related ETF product. Previously, BlackRock had applied for spot Bitcoin, spot Ethereum, and "Bitcoin Yield" ETFs.

  • BlackRock transferred approximately 1,197 BTC, worth over $110 million, to Coinbase.

    according to Arkham monitoring data, after depositing 24,791 ETH (approximately 78.3 million USD) into Coinbase Prime, BlackRock has just transferred a total of about 1,197 bitcoins, worth approximately 110.15 million USD, to the Coinbase Prime address.

Daily Must-Read

Popular Activities

RaveDAO at Terra Solis by Tomorrowland: A Female-Led Techno Night Where Web3 Culture Converges

RaveDAO at Terra Solis by Tomorrowland: A Female-Led Techno Night Where Web3 Culture Converges

April 30 - April 30
Dubai

Popular Tags

Cointime
News
Contents
RSS
Company