Cointime

Cointime

Download App
iOS & Android

Analysis of Flash Loan Price Manipulation Attacks on the Themis Protocol

On June 28th, Beijing time, Themis protocol was targeted by a Flash Loan attack, with the attacker having gained approximately $370,000 in profits.

SharkTeam conducted a technical analysis of this incident promptly and has summarized security measures to be taken. It is hoped that future projects can learn from this and collectively strengthen the security defenses of the blockchain industry.

1. Incident analysis

Attacker address: 0xdb73eb484e7dea3785520d750eabef50a9b9ab33

Attack contract:

0x05a1b877330c168451f081bfaf32d690ea964fca

0x33f3fb58ea0f91f4bd8612d9f477420b01023f25

Attacked contract: 0x75f805e2fb248462e7817f0230b36e9fae0280fc

Attack transactions:

0xff368294ccb3cd6e7e263526b5c820b22dea2b2fd8617119ba5c3ab8417403d8

Attack process:

(1) The attacker (0xdb73eb48) borrowed 22,000 WETH through a Flash Loan.

(2) Subsequently, the attacker borrowed an additional 10,000 and 8,000 WETH from the UniswapV3Pool.

(3) Then, the attacker (0xdb73eb48) deposited 220 WETH and borrowed DAI, USDT, USDC, ARB, and WBTC separately.

(4) Furthermore, the attacker (0xdb73eb48) deposited another 220 WETH and borrowed DAI, USDT, USDC, ARB, and WBTC separately.

(5) The attacker (0xdb73eb48) added 55 WETH to the pool and obtained 54.6 wstETH.

(6) The attacker (0xdb73eb48) called the swap function and exchanged all 39,725 WETH for 2,423 wstETH.

(7) Then, taking advantage of the high price of wstETH, the attacker borrowed 317 WETH using only 54.6 wstETH.

Finally, the attacker (0xdb73eb48) exchanged wstEth back to WETH, returned the flash loan, and left the market with a profit.

2 Vulnerability Analysis

The essence of this attack is the manipulation of prices for two tokens in the pool using a Flash Loan. The proportion calculated by the oracle can be manipulated, leading to asset losses. The attacker's initial three steps involved exchanging WETH for various tokens while depositing WETH into the pool, increasing the pool's WETH balance. The crucial step was the sixth step, where over 30,000 WETH was exchanged, causing a significant issue with the ratio between wstETH and WETH in the pool. This distorted ratio led to an increased exchange ratio calculated by the oracle, allowing the attacker to borrow more WETH using a small amount of wstETH.

It is evident that there was a noticeable increase in the calculated results after exchanging WETH for wstETH.

3. Security Recommendations

In light of this attack incident, developers should adhere to the following considerations during the development process:

1. Conduct thorough validation to identify any potential price manipulation issues in the development of oracles and liquidity pools.

2. Consider implementing Time-Weighted Average Price (TWAP) algorithms within oracles to calculate token prices.

3. Prior to project deployment, seek technical assistance from professional third-party auditing teams.

Web3 SharkTeam
Comments

All Comments

Recommended for you

  • TheoriqAI Completes $6.2 Million Super-Seed Round of Financing, Led by Hack VC

    On May 14th, TheoriqAI, a modular AI agent infrastructure, announced on X platform that it has completed a $6.2 million Super-Seed round of financing. Hack VC led the investment, with participation from Foresight Ventures, HTX Ventures, Figment Capital, HASH CIB, Inception Capital, Antalpha Ventures, NewTribe Capital, Stateless Ventures, Bitscale Capital, Construct Ventures, Hypersphere, IOSG Ventures, LongHash Ventures, HashKey Capital, SNZ Holding, Chainlink.

  • Basel banking regulator delays crypto asset rules for banks until 2026

    The Basel Committee on Banking Supervision's governing body, the Group of Central Bank Governors and Heads of Supervision (GHOS), has delayed the compliance deadline for new rules on bank crypto assets by one year. The latest date for the project has been changed to January 1, 2026.

  • LayerZero CEO: Up to 100,000 addresses have been recognized as witches

    LayerZero CEO Bryan Pellegrino stated on social media that up to 100,000 addresses have been identified as witches. Previously reported on May 4th, LayerZero officials stated that all witch users were given a chance to self-report within the next 14 days and those who did would receive an expected distribution of 15%.

  • Niobium, a fully homomorphic encryption chip provider, completes $5.5 million seed round of financing, led by Fusion Fund

    Niobium, a custom encryption chip provider specializing in zero-trust computing, has announced the completion of a $5.5 million seed round of financing, led by Fusion Fund, with participation from Morgan Creek Capital, Rev1 Ventures, Ohio Innovation Fund, and Hale Capital. It is reported that Niobium is building a fully homomorphic encryption (FHE) accelerator chip and will commercialize it. The new funds will be used to explore the commercial applications of FHE in industries such as healthcare, finance, and blockchain, and also plan to showcase the solution and launch pilot projects in the fourth quarter of this year.

  • RunPod Completes $20 Million Seed Round of Financing, Led by Intel Capital and Others

    According to distributed GPU cloud computing AI training model project RunPod announced the completion of a $20 million seed round of financing, jointly led by Intel Capital and Dell Technologies Capital, with participation from Julien Chaummond, Nat Friedman, Adam Lewis and others. RunPod uses global distributed GPU cloud computing services to train, deploy, and scale AI models, thereby reducing the workload of developers. According to its official website, RunPad accepts cryptocurrency payments, but reminds users to strongly recommend setting up a crypto.com account as part of the risk management process and conducting any necessary KYC checks in advance.

  • Kaiko data: Bitcoin miners’ income has dropped sharply, and they may sell BTC to maintain operations

    The latest data from cryptocurrency research and analysis company Kaiko shows that miners are facing huge selling pressure as Bitcoin mining revenue and transaction fees decline. Bitcoin miners' income mainly comes from two aspects: mining rewards and transaction fees. However, affected by the halving of Bitcoin rewards in April (block rewards dropped from 6.25 BTC to 3.125 BTC), miners have to sell Bitcoin to pay for costs. Kaiko researchers pointed out in the report that the halving event usually prompts miners to sell BTC because the mining process requires a lot of expenses.

  • Brazil's trading volume reaches $6 billion in 4 months

    According to Kaiko Research, the correlation between Bitcoin (BTC) and stocks is increasing. After reaching a multi-year low of 0.01 in March, the 90-day correlation rose to 0.17 last week. Based on the company's research report on May 13th, the 90-day correlation between Bitcoin and stocks rose to 0.17 in the week of May 5th, higher than the multi-year low of 0.01 in March. The correlation between BTC and risk assets is lower than the high of 0.6 during the bull market.

  • Ethereum Foundation Announces Open Application for the Fifth Ethereum Protocol Fellowship Program

    On May 14th, the Ethereum Foundation announced that the fifth round of the Ethereum Protocol Fellowship (EPF) program is officially open for applications, with a deadline of May 26th.

  • cointelegraph ·

    OKX Ventures invests in Web3 ‘play ARPG to train AI’ game Blade of God X

    The game is currently available in early access on the Epic Games Store.

    OKX Ventures invests in Web3 ‘play ARPG to train AI’ game Blade of God X

  • Barcelona-based Web3 Video Games Startup GFAL Raises $3.2M in Seed Funding to Expand Team and Accelerate Production Plans

    Barcelona-based startup GFAL has secured $3.2 million in seed funding from investors including Supercell Ltd and Mitch Lasky. The company plans to use the funds to expand its team and accelerate its game production plans, which leverage AI and Web3 technology for immersive gameplay. GFAL's Elemental Raiders mobile game soft-launched in March 2023, with plans to build on this for a 2024 launch. CEO Manel Sort expressed gratitude for the investment and excitement to work with former colleagues from Digital Chocolate.

Daily Must-Read

Popular Activities

Delysium $AGI & AI Private Yacht Party

Delysium $AGI & AI Private Yacht Party

March 27 - March 27
Seoul

Popular Tags

Cointime
News
Contents
RSS
Company