We found that the hacker targeted a code section that was out-of-scope for the audit contest.
Here’s a comparison:
This is the Dispatcher.sol from the April audit
And this is the Dispatcher.sol where the hack has happened. Notice the difference?
As you can see, the Commands.KYBER_SWAP is not there in the scope of the audit contest codebase and it became an entry point for the attack🚫
Vyper just leveled up by joining the Ethereum Foundation’s bounty program! This is a great opportunity for developers to sharpen their security, something we always value in smart contract audits.
Scams in crypto are real. Don't fall for unverified projects or too-good-to-be-true offers. Secure your wallet, enable multi-factor authentication, and stay informed to protect yourself. https://t.co/nPkjRqFO0f
@DavidPereDotBtc well, the runtime frameworks of Bitcoin and Solana prevent reentrancy, not languages themselves. they are just tools
and YES, reentrancy is the root of all evil
@KupiaSecurity security is achieved through iterations
audit original, then forks
audit base code, then updated parts
every update - not only code updates, but also configuration changes by governance actions - should go through security check
🔍 Inside Our Audit Process: Uncovering a Hidden Vulnerability in Curve
Learn how our lead security researcher @malicator discovered a flaw in Curve Finance during an audit back in November 2023.
This vulnerability could have unbalanced the pools by moving funds to the fee collector, potentially harming the protocol's reputation and affecting the price of CRV tokens. Let's dive into what happened and how it was fixed! 🚨👇
📚 Behind the Scene
Curve is a leading DeFi protocol with numerous Solidity-based forks such as Geode Finance, Ellipsis, and LeetSwap. These forks often inherit the strengths and weaknesses of the original protocol.
During a routine assessment, @malicator discovered that Geode Finance, which uses the ERC1155 token gAVAX, had a weak spot in its withdrawAdminFees function
🐛The Exploit
The core of this bug was a reentrancy flaw. The withdrawAdminFees function did not have proper reentrancy locks, making it vulnerable to manipulation during token transfers. This could allow attackers to disrupt token balances and potentially drain the pool.
🧩 Step-by-Step Exploitation
The attack relies on carefully crafted steps involving liquidity manipulation:
1. Prepare Tokens: Deposit one-sided liquidity using the add_liquidity function.
2. Remove Liquidity: Use remove_liquidity_imbalance, specifying a minimum ETH withdrawal amount (e.g., 1 wei) to trigger the fallback function.
3. Trigger Reentrancy: Within the fallback function (receive), call withdrawAdminFees.
This exploit takes advantage of missing re-entrancy locks in the withdrawAdminFees function, temporarily disrupting the pool balance. It reduces the pool's token balance while causing little loss to the attacker (swap fee + add/remove liquidity rounding).
You can see that the balance has become lower than the balance state variable.
💥 Potential Impact
This vulnerability could cause temporary but severe disruptions in token accounting within the pool. If used in conjunction with flash loans, the exploit could magnify the impact, allowing attackers to funnel significant amounts of tokens to the fee collector, putting user funds at risk.
🛠️ How To Fixed It
Immediate steps were taken to secure the vulnerable pools:
- Enhanced Security: Reentrancy checks were added to key functions handling ETH and token transfers.
- Permanent Fixes: Governance votes approved additional protections, to ensure functions such as withdrawAdminFees are no longer exploitable.
These fixes restore the security of user funds and strengthen Curve's defenses against similar attacks.
Our lead audit researcher also shared insights on this issue in his thread, providing additional context on the vulnerability. Kudos to our security researchers who work tirelessly to uncover these hidden threats! 🛡️
Check out @malicator insight here:
https://t.co/PxvSeW707u
@KupiaSecurity@HackenProof nice joke, haha
we first identify valuable parts of the target
where money is stored, tokens minted is important cos our goal is to protect value
Can we do a bit of bragging here?
We have nailed several public contests held by platforms like @sherlockdefi & @code4rena.
Resting is not in our vocabulary. We keep grinding and grinding in every single contest we have participated in.
Dear founders, teams & project leads:
Here’s 3 reasons why you should choose @KupiaSecurity for your audit services: ↓
1) 𝗣𝘂𝗯𝗹𝗶𝗰 𝗣𝗿𝗼𝘃𝗲𝗻 𝗘𝘅𝗽𝗲𝗿𝘁𝗶𝘀𝗲:
Our team isn’t just talking the talk - we’re walking the walk.
A standout example is the $250k reward @malicator - our lead security researcher secured by identifying a critical vulnerability in @CurveFinance - one of DeFi’s heavyweight protocols.
This isn’t just a win, but rather - a testament to our deep understanding and expertise in the field.
Think about the hype your project could get from auditing with a team with such solid public proof of work -
I mean, @CurveFinance isn’t a small name in DeFi.
Don’t you want to brag about auditing with a team that responsibly disclosed a vulnerability in @CurveFinance? 👀
Moving on: ↓
2) 𝗖𝗼𝗻𝘀𝗶𝘀𝘁𝗲𝗻𝘁 𝗦𝘂𝗰𝗰𝗲𝘀𝘀 𝗶𝗻 𝗕𝘂𝗴 𝗕𝗼𝘂𝗻𝘁𝗶𝗲𝘀:
@KupiaSecurity isn’t new to the spotlight.
Our track record in bug bounty competitions speaks volumes - with multiple top placements that showcase our ability to pinpoint & mitigate vulnerabilities that others might miss.
Some recent notable ones are:
-> We secured 1st place at the @telcoin audit contest on @sherlockdefi
-> We secured 5th place in the @Curvance contest at @cantinaXyz
And many more 🫡
𝟯) 𝗖𝗼𝘀𝘁-𝗘𝗳𝗳𝗲𝗰𝘁𝗶𝘃𝗲 𝗔𝘂𝗱𝗶𝘁𝘀:
We believe that securing your project shouldn't break the bank.
Compared to other top tier audit firms -
Kupia offers the same high-level security audits at more affordable rates.
We’re here to protect your project and your budget 😉
As you know, in Decentralized finance (DeFi), securing protocols against vulnerabilities is an absolute necessity.
At @KupiaSecurity we understand this better than anyone.
Our team's unique blend of experience, demonstrated expertise, & dedication to quality makes us the go-to partner for your auditing needs.
To crown it all - our top-tier quality services are relatively affordable:
Especially when compared to other top-tier quality audit firms.
To get in-depth technical details of how we operate:
Visit our website linked in bio or PM directly via @KupiaSecurity 🫡
Because other avenues of handling this exploit closed, our team halted the sequencer to prevent additional funds bridging out. This was the last resort action to protect users on Linea.
https://t.co/xfXec1O0ef
🔍 We're on the hunt for a Head of Marketing to join KupiaSec!
🚀 If you're passionate about blockchain, web3, and crafting innovative marketing strategies, we want to hear from you. Join us in securing the future of web3.
#Web3#MarketingJobs#BlockchainSecurity#JoinOurTeam
I'm done with this crap. It's 2024, and L2s are still spewing the same bullshit about their core values being "permissionless" and "censorship-resistant" after being live for over a year but are still running centralised sequencers. Give me a break. They act all high and mighty, claiming to uphold these principles, but the moment it suits them, they flip the switch and keep the blockchain running their way. It's a joke. L2 folks, your claims of permissionless and censorship-resistance are nothing but a meme at this point.
Gala Games has not publicly confirmed the identity or method of the exploit, but some community members claim Gala had said the attack was from a security contractor who slipped up after connecting to the wallet without a VPN. https://t.co/ZwhBJWuLWj