Cointime

Cointime

Download App
iOS & Android

How Was Rubic Protocol Hacked?

Validated Project

TL;DR

On December 25, 2022, the Rubic protocol was compromised, resulting in a loss of over $1.4 million.

Introduction to Rubic

Rubic is a cross-chain technology aggregator for users and dApps that aggregates various blockchains, different DEXs and bridges, and allows for the exchanging of a wide range of assets.

Vulnerability Assessment

The root cause of the vulnerability is that the Rubic protocol incorrectly added USDC tokens to the Router whitelist, resulting in the theft of USDC tokens from the users authorized to the RubicProxy contract.

Steps

Step 1:

Rubic is a DEX cross-chain aggregator, so users on their platform can swap tokens via a function call in the RubicProxy contract.

Step 2:

During this process, it will first determine whether or not the target Router of the necessary call passed in by the user is included in the protocol’s whitelist.

Step 3:

The user-supplied target Router will be called only after the whitelist check, and the calling data will also be supplied by the user.

Step 4:

As USDC tokens were incorrectly added to the whitelist of the protocol, any user could arbitrarily call USDC tokens through the RubicProxy contract.

Step 5:

The perpetrator used this opportunity to call the USDC contract through a function call, in order to transfer the USDC tokens to their address from the users who had authorized to the RubicProxy contract.

Step 6:

In here, you can view one of the attack transactions carried out by the exploiter, in which USDC tokens from multiple users have been transferred to their addresses.

Step 7:

The attacker sent 1,100 ETH worth of the stolen funds to Tornado Cash.

Aftermath

After the incident, Rubic issued a statement confirming the occurrence of the hack and requested users to revoke their access as soon as possible. The team will undertake audits with two independent agencies in the weeks to come, and approximately 49 affected users will be compensated for their loss.

The team further issued another statement to provide a brief summary of the incident.

Solution

While performing smart contract audits can assist in identifying and addressing potential vulnerabilities, they are insufficient to fully prevent a contract from being hacked. Stringent tests should also be run in simulated scenarios to find any potential programming errors or weaknesses in order to guarantee the security and dependability of a smart contract to a greater extent. These tests ought to replicate a range of circumstances and situations that the contract might experience in the real world, including both anticipated and unforeseen circumstances.

Comments

All Comments

Recommended for you

  • TrumpAI tokens on Ethereum have been RUG

    PeckShield has monitored that the TrumpAI token on the Ethereum blockchain has fallen by 100%. An address starting with 0x935A sold 5,000,000,000,000,000,000,000 TrumpAI tokens, which is about 26.57 WETH (approximately $80,000). Note: rugpull tokens have the same name as legitimate tokens.

  • South Korea’s Monetary Authority: Confirmed to include token delisting standards in the Virtual Asset User Protection Act

    The Financial Supervisory Service (FSS) of South Korea has confirmed that token delisting standards will be included in the "Best Practice for Compliance with the Virtual Asset User Protection Act" released in early June. An official from the Financial Supervisory Service stated in a conversation with Bloomberg on Tuesday that the upcoming "Best Practices for Compliance with the Virtual Asset User Protection Act" will not only include listing standards for virtual assets, but also provide guidance on whether to maintain trading of listed virtual assets. The guidance will provide a basis for cryptocurrency issuers to delist in the event of problems. The guidance will be released from the end of May to early June. Currently, the Financial Supervisory Service is developing guidelines to support self-regulation by cryptocurrency exchanges under the Virtual Asset User Protection Act before it is implemented in July. The plan proposes standards for virtual asset issuance, circulation, and trading support, prohibits the listing of virtual assets with a history of hacking attacks, and requires the release of Korean white papers and technical manuals when listing overseas virtual assets.

  • HKEX CEO: Virtual asset exchanges have become HKEX’s competitors

    On May 10th, Hong Kong Exchanges and Clearing Limited's new CEO, Nicolas Aguzin, stated in an interview with the Shanghai Securities News that HKEX faces competition not only from other securities exchanges, but also from external competitors such as virtual asset exchanges. In order to meet the rapidly evolving demands of customers and technology, HKEX must balance innovation and stable business operations, continuously expand its resources for listed companies, and improve its market services.

  • WOOFi attacker address has transferred 100 ETH to Tornado cash

    PeckShield monitoring shows that the address marked by the WOOFi attacker has transferred 100 ETH to Tornado cash. The WOOFi attacker has already transferred 2200 ETH (worth about $6.5 million) to Tornado cash.

  • Trump will hold a private dinner on the day of the court recess, inviting NFT trading card buyers to attend

    On May 10th, according to sources, former US President Donald Trump will host a dinner at his Mar-a-Lago estate on a day off, inviting NFT trading card buyers to attend. This event is part of Trump's series of non-campaign activities, aimed at balancing his White House campaign and legal disputes. After Stormy Daniels testified in Trump's trial on Tuesday, Trump expressed his desire for campaigning rather than being tied up in court. Despite no public campaign activities on Wednesday, Trump's schedule includes private political meetings.

  • Tether: Deutsche Bank’s analysis lacks clarity and substantive evidence

    According to a report on stablecoins released on May 7, Deutsche Bank analyzed 334 currencies linked to stablecoins and found that 49% of stablecoins had failed during their median lifespan of about eight to ten years. The analysts concluded that most anchored assets in the cryptocurrency field will experience significant "turbulence" caused by speculative sentiment and ultimately suffer some form of decoupling event. Deutsche Bank analysts also pointed out that Tether's reserve transparency was lacking and described the company's solvency as "doubtful".

  • Yesterday, Solana’s on-chain DEX transaction volume surpassed Ethereum, reaching $1.314 billion

    On May 10th, according to DeFiLlama data, the trading volume of Solana's DEX reached 1.314 billion US dollars yesterday, surpassing the trading volume of 1.297 billion US dollars on Ethereum's DEX.

  • US court orders seizure of 279 virtual currency accounts containing criminal proceeds from North Korean hacking

    A US court has ordered the confiscation of 279 virtual currency accounts containing proceeds from North Korean hacker crimes. US District Court Judge Timothy Kelly in Washington, DC approved the federal prosecutor's request for a summary judgment on these accounts and ordered their confiscation on May 8. This ruling means that these accounts are now under the control of the US Department of Treasury.

  • South Korea’s National Tax Service announced that it would collect 40 billion won in taxes from Bithumb users

    Bithumb has issued a preliminary notice of comprehensive income tax to some users who participated in activities held between 2018 and 2021, and announced full support for the related tax amount. The position of the National Tax Service is that rewards paid to users through various activities (including virtual assets) constitute taxable income. Bithumb does not agree with the National Tax Service's opinion, but explains that taxation is mandatory.

  • The Base ecosystem Bloom project said it has recovered 90% of the funds stolen in the attack

    On May 10th, Bloom, a decentralized derivatives exchange on the X platform, announced that they have recovered $486,000 (minus 10% for bug bounties) out of the total funds utilized ($540,000). All of these funds will be redistributed to limited partners. 10% of the bug bounty has been agreed upon in exchange for not pressing charges against those who exploited the bug. A compensation plan for limited partners affected by the bug will be completed within the next 24-48 hours. Funds are safe and there is currently no need to revoke contract access.

Daily Must-Read

Popular Activities

Delysium $AGI & AI Private Yacht Party

Delysium $AGI & AI Private Yacht Party

March 27 - March 27
Seoul

Popular Tags

Cointime
News
Contents
RSS
Company