Analysis of the Sonne Finance Attack

Intermediate6/13/2024, 12:35:30 AM
The essence of this attack lies in the creation of the market (soToken), where the attacker performed the first collateral minting operation with a small amount of the underlying token, resulting in a very small "totalSupply" value for the soToken.

On May 15, 2024, Sonne Finance suffered an attack on the Optimism chain, resulting in losses of up to $20 million. After the attack, Twitter user @tonyke_bot tweeted that they protected the remaining $6.5 million in Sonne Finance’s collateral pool (also known as the market, similar to cToken in Compound) with about $100.


https://twitter.com/tonyke_bot/status/1790547461611860182)

Upon discovering the attack, the Sonne Finance team quickly paused all markets on Optimism and stated that the markets on Base were secure.

https://twitter.com/SonneFinance/status/1790535383005966554)

Attack brief description

Sonne Finance is a decentralized lending protocol that forks Compound V2 on Optimism, providing individuals, institutions, and protocols with access to financial services. The Sonne Finance protocol aggregates users’ token assets to form a lending liquidity pool, providing users with a bank-like lending business. Like Compound, protocol participants can mortgage their tokens into Sonne Finance’s lending liquidity pool and obtain the certificate soToken (same as cToken). SoToken is an interest-bearing asset certificate, which will generate a certain amount of income as the block progresses, and will also receive SONE token incentives. Participants can also borrow other tokens from the Sonne lending asset pool with the soToken in their hands. For example, participants can mortgage a certain amount of USDC to obtain soUSDC certificates, and then lend out WETH for further circulation. Mortgage lending in the Sonne Finance protocol can be a many-to-many asset relationship. During the mortgage lending process, the protocol will automatically calculate the health factor (Health Factor) of the participant’s address. When the health factor is lower than 1, the mortgage of the address Products will support liquidation, and liquidators can also receive certain liquidation rewards.

The relationship between the number of underlying tokens deposited by users and the minted soTokens is mainly related to a variable called exchangeRate. This variable can be roughly used to indicate how much underlying token each soToken is worth. The calculation formula for exchangeRate is as follows:

In the above formula, totalCash refers to the number of underlying tokens held by soToken, totalBorrows refers to the number of underlying tokens lent out in a certain market, totalReserves refers to the total reserve amount (including the interest paid by the borrower), totalSupply Refers to the number of soToken minted.

When redeeming, users can specify the number of underlying tokens they want to redeem, redeemAmount, to calculate the number of soTokens that need to be destroyed, redeemTokens. The calculation method is roughly “redeemTokens = redeemAmount / exchangeRat”. Note that there is no accuracy loss here. deal with.

The essence of this attack is that when the market (soToken) was created, the attacker performed the first mortgage casting operation and minted very few soTokens with a small amount of underlying tokens, resulting in the “totalSupply” value of soToken being too small. The attacker then exploited the vulnerability of Solidity contract precision loss, and then sent the underlying token directly to the soToken contract (soToken will not be minted, which means “totalSupply” remains unchanged and “totalCash” becomes larger) instead of staking + casting method to deposit the underlying token. Such an operation makes the “totalCash” variable in the contract become larger, but “totalSupply” remains unchanged, causing exchangeRate to become larger. In the end, when the attacker redeems the underlying token, the soToken that needs to be destroyed is less than the soToken minted during the mortgage. The attacker uses the earned soToken to lend the underlying token WETH and USDC to other soTokens (such as soWETH, soUSDC), and finally obtains Profits were as high as US$20 million.

Key addresses involved in the attack

Attack Preparation Transactions:

https://optimistic.etherscan.io/tx/0x45c0ccfd3ca1b4a937feebcb0f5a166c409c9e403070808835d41da40732db96

Attack Profitable Transactions:

https://optimistic.etherscan.io/tx/0x9312ae377d7ebdf3c7c3a86f80514878deb5df51aad38b6191d55db53e42b7f0

Attack EOA related addresses:

0x5d0d99e9886581ff8fcb01f35804317f5ed80bbb

0xae4a7cde7c99fb98b0d5fa414aa40f0300531f43

Attacker (contract) related address:

0xa78aefd483ce3919c0ad55c8a2e5c97cbac1caf8

0x02fa2625825917e9b1f8346a465de1bbc150c5b9

underlying token(VELO Token V2):

0x9560e827af36c94d2ac33a39bce1fe78631088db

Vulnerability contract (soVELO, similar to Compound’s cToken):

0xe3b81318b1b6776f0877c3770afddff97b9f5fe5

@tonyke_bot User Rescue Transaction on X:

https://optimistic.etherscan.io/tx/0x816f9e289d8b9dee9a94086c200c0470c6456603c967f82ab559a5931fd181c2

Attack process analysis

Recap

The Sonne Finance project team recently passed a proposal to add the VELO market to Sonne Finance (https://twitter.com/SonneFinance/status/1786871066075206044), and arranged five transactions through the multi-signature wallet to be executed two days later ( https://optimistic.etherscan.io/tx/0x18ebeb958b50579ce76528ed812025949dfcff8c2673eb0c8bc78b12ba6377b7), these five transactions are used to create the VELO market (soVELO contract) and set some key configurations of the market, such as setting the interest rate model, setting the price oracle, and setting the mortgage factors etc. After the VELO market is created, users can deposit VELO tokens to mint soVELO tokens, which can in turn be used to borrow other soTokens.

attack preparation

The attack preparation stage is mainly for the attacker to create a VELO market (soVELO contract) based on the information in the Sonne Finance project proposal after the two-day lock-in period of the proposal has expired, set up key configurations, and mint VELO tokens into the soVELO contract by mortgaging them. soVELO tokens, and also sends the VELO tokens it holds directly to the soVELO contract to increase the exchangeRate and prepare for profit from subsequent attacks.

Specific steps are as follows:

  1. After the two-day lock-in period ends, the attacker first packages the operations of the first four transactions arranged in the proposal into one transaction (transaction 0x45c0cc), which is used to create the VELO market (soVELO contract) and set the key configuration. When VELO market is initialized, exchangeRate is set to “200,000,000,000,000,000,000,000,000”.

  2. The attacker calls the “mint” function of the soVELO contract to deposit VELO tokens and mint soVELO tokens. The attacker specifies “mintAmount” as “400,000,001” (the number of VELO tokens). As can be seen from the function “exchangeRateStoredInternal”, since the “_totalSuppl” of soVELO token is 0 at this time, exchangeRate is the value set in step 1. According to the formula “ mintTokens = actualMintAmount / exchangeRate “, the calculated number of soVELO tokens that should be minted at this time is 2. In short, in this step, the attacker deposits VELO tokens with a value of “400,000,001” into the soVELO contract, and the attacker obtains soVELO tokens with a value of 2.

soVELO.mint:

  1. The attacker sent VELO tokens with a value of “2,552,964,259,704,265,837,526” to the soVELO contract by directly sending VELO tokens to the soVELO contract. At this time, the number of VELO tokens held by the soVELO contract increased, but since there were no new soVELO tokens The coin is minted, so totalSupply remains unchanged, which means that the exchangeRate calculated according to the exchangeRate calculation formula will become larger at this time.

  2. The attacker transferred the soVELO tokens held multiple times, and finally transferred them to another attack EOA 0xae4a.

Attack for profit

The attack profit phase mainly involves the attacker executing the fifth transaction of the proposal and lending VELO tokens directly to the soVELO contract through flash loans to further increase the exchangeRate. Then the attacker uses the soVELO token with a value of 2 in his hand to borrow underlying tokens such as WETH and USDC from other soToken (such as soWETH, soUSDC, etc.) contracts, and these parts become the attacker’s profit. Then the attacker went to redeem his underlying token in the soVELO contract. Due to the increase in exchangeRate and the loss of accuracy in calculating the soVELO tokens that need to be destroyed for redemption, the attacker ultimately only used the soVELO token with a value of 1. Almost all the previously deposited VELO tokens were redeemed, which can be understood as the attacker using the extra soVELO tokens with a value of 1 to earn underlying tokens such as WETH and USDC by borrowing from other soTokens. The attacker used the same technique to repeat the attack many times and ultimately made huge profits.

Specific steps are as follows:

  1. The attacker executes the fifth transaction in the proposal and sets the lending factor specified in the proposal.

  2. The attacker flash-loans VELO tokens with a value of “35,469,150,965,253,049,864,450,449” from the VolatileV2 AMM - USDC/VELO pool, which triggers the attacker’s hook function. In the hook function, the attacker continues to perform the attack operation.

  3. The attacker sends the VELO tokens he holds to the soVELO contract to further increase the exchangeRate. Currently, there are a total of VELO tokens with a value of “35,471,703,929,512,754,530,287,976” in the soVELO contract (the sum of VELO tokens transferred in three times by the attacker).

  4. The attacker creates a new contract 0xa16388a6210545b27f669d5189648c1722300b8b. In the constructor, he transfers the 2 soVELO tokens he holds to the newly created contract 0xa163 (hereinafter referred to as the attacker 0xa163).

  5. The attacker 0xa163 used the soVELO tokens he held to borrow WETH with a value of “265,842,857,910,985,546,929” from soWETH.

  6. Attacker 0xa163 calls soVELO’s “redeemUnderlying” function, specifying the value of redeemed VELO tokens as “35,471,603,929,512,754,530,287,976” (almost the number of VELO tokens that the attacker has previously transferred or mortgaged into the soVELO contract). At this time, it is necessary to The formula “redeemTokens = redeemAmountIn / exchangeRate” is used to calculate the number of soVELO tokens that need to be destroyed for redemption.

As can be seen from the “exchangeRateStoredInternal” function, since _totalSupply is 2 instead of 0, the value of exchangeRate needs to be calculated. According to the formula “exchangeRate = (totalCash + totalBorrows - totalReserves) / totalSupply”, the current exchangeRate is “17,735,851,964,756,377,265,143,988,000,0 00,000,000,000,000 “, this value is much larger than the initial exchangeRate set “200,000,000,000,000,000,000,000,00”.

The value of “ redeemTokens “ calculated based on the new exchangeRate is “ 1.99 “. Due to the downward rounding characteristics of Solidity, the value of “ redeemTokens “ ends up being 1. This means that the attacker 0xa163 used soVELO tokens with a value of 1 to redeem almost all the VELO tokens previously deposited. At the same time, the attacker 0xa163 also earned WETH with a value of “265,842,857,910,985,546,929” borrowed from soWETH.

soVELO.redeemUnderlying:

soVELO.exchangeRateStoredInternal:

  1. The attacker 0xa163 transferred all the borrowed WETH and redeemed VELO tokens to the upper-level attacker, and then self-destructed.

  2. The attacker calls the “liquidateBorrow” function of soWETH to liquidate some of the assets borrowed from the newly created contract 0xa163 in order to get back the locked soVELO token with a value of 1. Currently the attacker only holds soVELO tokens with a value of 1.

  3. The attacker calls the “mint” function of soVELO and once again mortgages and mints soVELO tokens with the purpose of gathering enough soVELO tokens with a value of 2, and then performs steps 3-8 above again to profit from other undeylying tokens.

  4. The attacker performs the operation in step 9 several times, repays the flash loan, and leaves the market with a profit.

How $100 leverages $6.5 million

After the attack, user @tonyke_bot on X minted 0.00000011 soVELO by staking 1144 VELO tokens into the soVELO contract in transaction 0x0a284cd. The reason why this operation can prevent the attacker from further attacks is because this transaction changes the size of totalSupply in soVELO and the number of VELO tokens totalCash held, and the impact of the growth of totalSupply on the calculation of exchangeRate is greater than the impact of the growth of totalCash. Therefore, the exchangeRate becomes smaller, causing the attacker to no longer be able to use the loss of accuracy to earn soVELO when conducting an attack, making the attack no longer possible.

Money tracking

The attacker transferred the funds shortly after grabbing the illegal proceeds. Most of the funds were transferred to the following four addresses. Some were to change addresses to continue the attack, and some were for money laundering:

1、0x4ab93fc50b82d4dc457db85888dfdae28d29b98d

The attacker transferred 198 WETH to this address, and then the address used the same attack method to obtain illegal gains in the following transactions:

After the attack, the address transferred the above-mentioned illegal gains to 0x5d0d99e9886581ff8fcb01f35804317f5ed80bbb.

2、0x5d0d99e9886581ff8fcb01f35804317f5ed80bbb

The attacker transferred 724277 USDC and 2353 VELO to this address, and exchanged USDC for Ether. Then some funds were immediately transferred to the Stargate cross-chain bridge.Most of the illicit funds remain at this address:

3、0xbd18100a168321701955e348f03d0df4f517c13b

The attacker transferred 33 WETH to this address and used peel chain to try to launder money. The money laundering link is as follows:

0xbd18100a168321701955e348f03d0df4f517c13b -> 0x7e97b74252b6df53caf386fb4c54d4fb59cb6928 -> 0xc521bde5e53f537ff208970152b75a003 093c2b4 -> 0x9f09ec563222fe52712dc413d0b7b66cb5c7c795。

4、0x4fac0651bcc837bf889f6a7d79c1908419fe1770

The attacker transferred 563 WETH to this address and subsequently to 0x1915F77A116dcE7E9b8F4C4E43CDF81e2aCf9C68, with no further action so far.

The attacker’s method of money laundering this time is relatively professional, and the methods show a trend of diversity. Therefore, for us Web3 participants, we must continue to improve our anti-money laundering capabilities in terms of security, and improve the security of Defi projects through KYT, AML and other related blockchain transaction security products.

Security advice

1、Keep up to date with contract auditing and testing.Conduct a comprehensive audit before smart contract deployment, paying special attention to all parts involving financial calculations. First, use automated testing and take advantage of real-time updates of vulnerability libraries to conduct efficient contract security scans (the industry has also gradually open sourced some mature security audit tools ,include ZAN AI SCAN), while combining manual auditing to troubleshoot issues that require in-depth industry know how.

2、The loss of accuracy needs to be taken seriously. Security issues caused by accuracy loss are endless, especially in Defi projects, where accuracy loss often leads to serious financial losses. It is recommended that project parties and security auditors carefully review the codes with accuracy loss in the project and conduct tests to avoid this vulnerability as much as possible.

  1. It is recommended that the creation of a market similar to cToken in Compound and the first mortgage casting operation be performed by privileged users to avoid being manipulated by attackers and thereby manipulate the exchange rate.

  2. When there are key variables in the contract that depend on the value of “ this.balance “ or “ token.balanceOf() “, you need to carefully consider the conditions for the change of the key variable, such as whether it is allowed to directly transfer native currency or tokens to the contract. method to change the value of the variable, or can the value of the variable only be changed by calling a specific function.

Disclaimer:

  1. This article is reprinted from [ZAN]. All copyrights belong to the original author [ZAN]. If there are objections to this reprint, please contact the Gate Learn team, and they will handle it promptly.
  2. Liability Disclaimer: The views and opinions expressed in this article are solely those of the author and do not constitute any investment advice.
  3. Translations of the article into other languages are done by the Gate Learn team. Unless mentioned, copying, distributing, or plagiarizing the translated articles is prohibited.

Analysis of the Sonne Finance Attack

Intermediate6/13/2024, 12:35:30 AM
The essence of this attack lies in the creation of the market (soToken), where the attacker performed the first collateral minting operation with a small amount of the underlying token, resulting in a very small "totalSupply" value for the soToken.

On May 15, 2024, Sonne Finance suffered an attack on the Optimism chain, resulting in losses of up to $20 million. After the attack, Twitter user @tonyke_bot tweeted that they protected the remaining $6.5 million in Sonne Finance’s collateral pool (also known as the market, similar to cToken in Compound) with about $100.


https://twitter.com/tonyke_bot/status/1790547461611860182)

Upon discovering the attack, the Sonne Finance team quickly paused all markets on Optimism and stated that the markets on Base were secure.

https://twitter.com/SonneFinance/status/1790535383005966554)

Attack brief description

Sonne Finance is a decentralized lending protocol that forks Compound V2 on Optimism, providing individuals, institutions, and protocols with access to financial services. The Sonne Finance protocol aggregates users’ token assets to form a lending liquidity pool, providing users with a bank-like lending business. Like Compound, protocol participants can mortgage their tokens into Sonne Finance’s lending liquidity pool and obtain the certificate soToken (same as cToken). SoToken is an interest-bearing asset certificate, which will generate a certain amount of income as the block progresses, and will also receive SONE token incentives. Participants can also borrow other tokens from the Sonne lending asset pool with the soToken in their hands. For example, participants can mortgage a certain amount of USDC to obtain soUSDC certificates, and then lend out WETH for further circulation. Mortgage lending in the Sonne Finance protocol can be a many-to-many asset relationship. During the mortgage lending process, the protocol will automatically calculate the health factor (Health Factor) of the participant’s address. When the health factor is lower than 1, the mortgage of the address Products will support liquidation, and liquidators can also receive certain liquidation rewards.

The relationship between the number of underlying tokens deposited by users and the minted soTokens is mainly related to a variable called exchangeRate. This variable can be roughly used to indicate how much underlying token each soToken is worth. The calculation formula for exchangeRate is as follows:

In the above formula, totalCash refers to the number of underlying tokens held by soToken, totalBorrows refers to the number of underlying tokens lent out in a certain market, totalReserves refers to the total reserve amount (including the interest paid by the borrower), totalSupply Refers to the number of soToken minted.

When redeeming, users can specify the number of underlying tokens they want to redeem, redeemAmount, to calculate the number of soTokens that need to be destroyed, redeemTokens. The calculation method is roughly “redeemTokens = redeemAmount / exchangeRat”. Note that there is no accuracy loss here. deal with.

The essence of this attack is that when the market (soToken) was created, the attacker performed the first mortgage casting operation and minted very few soTokens with a small amount of underlying tokens, resulting in the “totalSupply” value of soToken being too small. The attacker then exploited the vulnerability of Solidity contract precision loss, and then sent the underlying token directly to the soToken contract (soToken will not be minted, which means “totalSupply” remains unchanged and “totalCash” becomes larger) instead of staking + casting method to deposit the underlying token. Such an operation makes the “totalCash” variable in the contract become larger, but “totalSupply” remains unchanged, causing exchangeRate to become larger. In the end, when the attacker redeems the underlying token, the soToken that needs to be destroyed is less than the soToken minted during the mortgage. The attacker uses the earned soToken to lend the underlying token WETH and USDC to other soTokens (such as soWETH, soUSDC), and finally obtains Profits were as high as US$20 million.

Key addresses involved in the attack

Attack Preparation Transactions:

https://optimistic.etherscan.io/tx/0x45c0ccfd3ca1b4a937feebcb0f5a166c409c9e403070808835d41da40732db96

Attack Profitable Transactions:

https://optimistic.etherscan.io/tx/0x9312ae377d7ebdf3c7c3a86f80514878deb5df51aad38b6191d55db53e42b7f0

Attack EOA related addresses:

0x5d0d99e9886581ff8fcb01f35804317f5ed80bbb

0xae4a7cde7c99fb98b0d5fa414aa40f0300531f43

Attacker (contract) related address:

0xa78aefd483ce3919c0ad55c8a2e5c97cbac1caf8

0x02fa2625825917e9b1f8346a465de1bbc150c5b9

underlying token(VELO Token V2):

0x9560e827af36c94d2ac33a39bce1fe78631088db

Vulnerability contract (soVELO, similar to Compound’s cToken):

0xe3b81318b1b6776f0877c3770afddff97b9f5fe5

@tonyke_bot User Rescue Transaction on X:

https://optimistic.etherscan.io/tx/0x816f9e289d8b9dee9a94086c200c0470c6456603c967f82ab559a5931fd181c2

Attack process analysis

Recap

The Sonne Finance project team recently passed a proposal to add the VELO market to Sonne Finance (https://twitter.com/SonneFinance/status/1786871066075206044), and arranged five transactions through the multi-signature wallet to be executed two days later ( https://optimistic.etherscan.io/tx/0x18ebeb958b50579ce76528ed812025949dfcff8c2673eb0c8bc78b12ba6377b7), these five transactions are used to create the VELO market (soVELO contract) and set some key configurations of the market, such as setting the interest rate model, setting the price oracle, and setting the mortgage factors etc. After the VELO market is created, users can deposit VELO tokens to mint soVELO tokens, which can in turn be used to borrow other soTokens.

attack preparation

The attack preparation stage is mainly for the attacker to create a VELO market (soVELO contract) based on the information in the Sonne Finance project proposal after the two-day lock-in period of the proposal has expired, set up key configurations, and mint VELO tokens into the soVELO contract by mortgaging them. soVELO tokens, and also sends the VELO tokens it holds directly to the soVELO contract to increase the exchangeRate and prepare for profit from subsequent attacks.

Specific steps are as follows:

  1. After the two-day lock-in period ends, the attacker first packages the operations of the first four transactions arranged in the proposal into one transaction (transaction 0x45c0cc), which is used to create the VELO market (soVELO contract) and set the key configuration. When VELO market is initialized, exchangeRate is set to “200,000,000,000,000,000,000,000,000”.

  2. The attacker calls the “mint” function of the soVELO contract to deposit VELO tokens and mint soVELO tokens. The attacker specifies “mintAmount” as “400,000,001” (the number of VELO tokens). As can be seen from the function “exchangeRateStoredInternal”, since the “_totalSuppl” of soVELO token is 0 at this time, exchangeRate is the value set in step 1. According to the formula “ mintTokens = actualMintAmount / exchangeRate “, the calculated number of soVELO tokens that should be minted at this time is 2. In short, in this step, the attacker deposits VELO tokens with a value of “400,000,001” into the soVELO contract, and the attacker obtains soVELO tokens with a value of 2.

soVELO.mint:

  1. The attacker sent VELO tokens with a value of “2,552,964,259,704,265,837,526” to the soVELO contract by directly sending VELO tokens to the soVELO contract. At this time, the number of VELO tokens held by the soVELO contract increased, but since there were no new soVELO tokens The coin is minted, so totalSupply remains unchanged, which means that the exchangeRate calculated according to the exchangeRate calculation formula will become larger at this time.

  2. The attacker transferred the soVELO tokens held multiple times, and finally transferred them to another attack EOA 0xae4a.

Attack for profit

The attack profit phase mainly involves the attacker executing the fifth transaction of the proposal and lending VELO tokens directly to the soVELO contract through flash loans to further increase the exchangeRate. Then the attacker uses the soVELO token with a value of 2 in his hand to borrow underlying tokens such as WETH and USDC from other soToken (such as soWETH, soUSDC, etc.) contracts, and these parts become the attacker’s profit. Then the attacker went to redeem his underlying token in the soVELO contract. Due to the increase in exchangeRate and the loss of accuracy in calculating the soVELO tokens that need to be destroyed for redemption, the attacker ultimately only used the soVELO token with a value of 1. Almost all the previously deposited VELO tokens were redeemed, which can be understood as the attacker using the extra soVELO tokens with a value of 1 to earn underlying tokens such as WETH and USDC by borrowing from other soTokens. The attacker used the same technique to repeat the attack many times and ultimately made huge profits.

Specific steps are as follows:

  1. The attacker executes the fifth transaction in the proposal and sets the lending factor specified in the proposal.

  2. The attacker flash-loans VELO tokens with a value of “35,469,150,965,253,049,864,450,449” from the VolatileV2 AMM - USDC/VELO pool, which triggers the attacker’s hook function. In the hook function, the attacker continues to perform the attack operation.

  3. The attacker sends the VELO tokens he holds to the soVELO contract to further increase the exchangeRate. Currently, there are a total of VELO tokens with a value of “35,471,703,929,512,754,530,287,976” in the soVELO contract (the sum of VELO tokens transferred in three times by the attacker).

  4. The attacker creates a new contract 0xa16388a6210545b27f669d5189648c1722300b8b. In the constructor, he transfers the 2 soVELO tokens he holds to the newly created contract 0xa163 (hereinafter referred to as the attacker 0xa163).

  5. The attacker 0xa163 used the soVELO tokens he held to borrow WETH with a value of “265,842,857,910,985,546,929” from soWETH.

  6. Attacker 0xa163 calls soVELO’s “redeemUnderlying” function, specifying the value of redeemed VELO tokens as “35,471,603,929,512,754,530,287,976” (almost the number of VELO tokens that the attacker has previously transferred or mortgaged into the soVELO contract). At this time, it is necessary to The formula “redeemTokens = redeemAmountIn / exchangeRate” is used to calculate the number of soVELO tokens that need to be destroyed for redemption.

As can be seen from the “exchangeRateStoredInternal” function, since _totalSupply is 2 instead of 0, the value of exchangeRate needs to be calculated. According to the formula “exchangeRate = (totalCash + totalBorrows - totalReserves) / totalSupply”, the current exchangeRate is “17,735,851,964,756,377,265,143,988,000,0 00,000,000,000,000 “, this value is much larger than the initial exchangeRate set “200,000,000,000,000,000,000,000,00”.

The value of “ redeemTokens “ calculated based on the new exchangeRate is “ 1.99 “. Due to the downward rounding characteristics of Solidity, the value of “ redeemTokens “ ends up being 1. This means that the attacker 0xa163 used soVELO tokens with a value of 1 to redeem almost all the VELO tokens previously deposited. At the same time, the attacker 0xa163 also earned WETH with a value of “265,842,857,910,985,546,929” borrowed from soWETH.

soVELO.redeemUnderlying:

soVELO.exchangeRateStoredInternal:

  1. The attacker 0xa163 transferred all the borrowed WETH and redeemed VELO tokens to the upper-level attacker, and then self-destructed.

  2. The attacker calls the “liquidateBorrow” function of soWETH to liquidate some of the assets borrowed from the newly created contract 0xa163 in order to get back the locked soVELO token with a value of 1. Currently the attacker only holds soVELO tokens with a value of 1.

  3. The attacker calls the “mint” function of soVELO and once again mortgages and mints soVELO tokens with the purpose of gathering enough soVELO tokens with a value of 2, and then performs steps 3-8 above again to profit from other undeylying tokens.

  4. The attacker performs the operation in step 9 several times, repays the flash loan, and leaves the market with a profit.

How $100 leverages $6.5 million

After the attack, user @tonyke_bot on X minted 0.00000011 soVELO by staking 1144 VELO tokens into the soVELO contract in transaction 0x0a284cd. The reason why this operation can prevent the attacker from further attacks is because this transaction changes the size of totalSupply in soVELO and the number of VELO tokens totalCash held, and the impact of the growth of totalSupply on the calculation of exchangeRate is greater than the impact of the growth of totalCash. Therefore, the exchangeRate becomes smaller, causing the attacker to no longer be able to use the loss of accuracy to earn soVELO when conducting an attack, making the attack no longer possible.

Money tracking

The attacker transferred the funds shortly after grabbing the illegal proceeds. Most of the funds were transferred to the following four addresses. Some were to change addresses to continue the attack, and some were for money laundering:

1、0x4ab93fc50b82d4dc457db85888dfdae28d29b98d

The attacker transferred 198 WETH to this address, and then the address used the same attack method to obtain illegal gains in the following transactions:

After the attack, the address transferred the above-mentioned illegal gains to 0x5d0d99e9886581ff8fcb01f35804317f5ed80bbb.

2、0x5d0d99e9886581ff8fcb01f35804317f5ed80bbb

The attacker transferred 724277 USDC and 2353 VELO to this address, and exchanged USDC for Ether. Then some funds were immediately transferred to the Stargate cross-chain bridge.Most of the illicit funds remain at this address:

3、0xbd18100a168321701955e348f03d0df4f517c13b

The attacker transferred 33 WETH to this address and used peel chain to try to launder money. The money laundering link is as follows:

0xbd18100a168321701955e348f03d0df4f517c13b -> 0x7e97b74252b6df53caf386fb4c54d4fb59cb6928 -> 0xc521bde5e53f537ff208970152b75a003 093c2b4 -> 0x9f09ec563222fe52712dc413d0b7b66cb5c7c795。

4、0x4fac0651bcc837bf889f6a7d79c1908419fe1770

The attacker transferred 563 WETH to this address and subsequently to 0x1915F77A116dcE7E9b8F4C4E43CDF81e2aCf9C68, with no further action so far.

The attacker’s method of money laundering this time is relatively professional, and the methods show a trend of diversity. Therefore, for us Web3 participants, we must continue to improve our anti-money laundering capabilities in terms of security, and improve the security of Defi projects through KYT, AML and other related blockchain transaction security products.

Security advice

1、Keep up to date with contract auditing and testing.Conduct a comprehensive audit before smart contract deployment, paying special attention to all parts involving financial calculations. First, use automated testing and take advantage of real-time updates of vulnerability libraries to conduct efficient contract security scans (the industry has also gradually open sourced some mature security audit tools ,include ZAN AI SCAN), while combining manual auditing to troubleshoot issues that require in-depth industry know how.

2、The loss of accuracy needs to be taken seriously. Security issues caused by accuracy loss are endless, especially in Defi projects, where accuracy loss often leads to serious financial losses. It is recommended that project parties and security auditors carefully review the codes with accuracy loss in the project and conduct tests to avoid this vulnerability as much as possible.

  1. It is recommended that the creation of a market similar to cToken in Compound and the first mortgage casting operation be performed by privileged users to avoid being manipulated by attackers and thereby manipulate the exchange rate.

  2. When there are key variables in the contract that depend on the value of “ this.balance “ or “ token.balanceOf() “, you need to carefully consider the conditions for the change of the key variable, such as whether it is allowed to directly transfer native currency or tokens to the contract. method to change the value of the variable, or can the value of the variable only be changed by calling a specific function.

Disclaimer:

  1. This article is reprinted from [ZAN]. All copyrights belong to the original author [ZAN]. If there are objections to this reprint, please contact the Gate Learn team, and they will handle it promptly.
  2. Liability Disclaimer: The views and opinions expressed in this article are solely those of the author and do not constitute any investment advice.
  3. Translations of the article into other languages are done by the Gate Learn team. Unless mentioned, copying, distributing, or plagiarizing the translated articles is prohibited.
Start Now
Sign up and get a
$100
Voucher!