Cointime

Cointime

Download App
iOS & Android

How Was Rubic Protocol Hacked?

Validated Project

TL;DR

On December 25, 2022, the Rubic protocol was compromised, resulting in a loss of over $1.4 million.

Introduction to Rubic

Rubic is a cross-chain technology aggregator for users and dApps that aggregates various blockchains, different DEXs and bridges, and allows for the exchanging of a wide range of assets.

Vulnerability Assessment

The root cause of the vulnerability is that the Rubic protocol incorrectly added USDC tokens to the Router whitelist, resulting in the theft of USDC tokens from the users authorized to the RubicProxy contract.

Steps

Step 1:

Rubic is a DEX cross-chain aggregator, so users on their platform can swap tokens via a function call in the RubicProxy contract.

Step 2:

During this process, it will first determine whether or not the target Router of the necessary call passed in by the user is included in the protocol’s whitelist.

Step 3:

The user-supplied target Router will be called only after the whitelist check, and the calling data will also be supplied by the user.

Step 4:

As USDC tokens were incorrectly added to the whitelist of the protocol, any user could arbitrarily call USDC tokens through the RubicProxy contract.

Step 5:

The perpetrator used this opportunity to call the USDC contract through a function call, in order to transfer the USDC tokens to their address from the users who had authorized to the RubicProxy contract.

Step 6:

In here, you can view one of the attack transactions carried out by the exploiter, in which USDC tokens from multiple users have been transferred to their addresses.

Step 7:

The attacker sent 1,100 ETH worth of the stolen funds to Tornado Cash.

Aftermath

After the incident, Rubic issued a statement confirming the occurrence of the hack and requested users to revoke their access as soon as possible. The team will undertake audits with two independent agencies in the weeks to come, and approximately 49 affected users will be compensated for their loss.

The team further issued another statement to provide a brief summary of the incident.

Solution

While performing smart contract audits can assist in identifying and addressing potential vulnerabilities, they are insufficient to fully prevent a contract from being hacked. Stringent tests should also be run in simulated scenarios to find any potential programming errors or weaknesses in order to guarantee the security and dependability of a smart contract to a greater extent. These tests ought to replicate a range of circumstances and situations that the contract might experience in the real world, including both anticipated and unforeseen circumstances.

Comments

All Comments

Recommended for you

  • Crypto Super PAC Raises Over $100 Million for 2024 US Election

    According to PUBLIC CITIZEN, a cryptocurrency industry-backed super PAC has raised over $102 million, ranking third among all super PACs participating in the 2024 election. More than half of the political funds for the cryptocurrency super PAC (about $54 million) come from direct corporate spending, mainly from Coinbase and Ripple Labs.It is reported that four of the eight corporate cryptocurrency super PAC donors have settled or face charges from the US Securities and Exchange Commission (SEC) for alleged violations of securities laws, with Ripple Labs alone facing a fine of nearly $2 billion.

  • The US government seized 3,940 BTC from drug dealers

    Blockchain data tracking company Arkham has stated that the US government has seized $250 million worth of BTC, currently being held by Arkham. The US government obtained 3,940 BTC from drug dealer Banmeet Singh and seized them during a trial in January 2024. According to court documents, Singh was responsible for selling controlled substances on the dark web market from 2012 to 2017 and distributing them throughout the United States. The statement from the Department of Justice (DOJ) and court documents match the on-chain flow of funds already added to our US government entity.

  • Jack Dorsey's Blockchain plans to raise $1.5 billion through senior notes issuance

    Jack Dorsey's financial technology company, Block (formerly known as Square), announced on May 6th that it plans to issue $1.5 billion in preferred notes to qualified institutional investors through private placement.

  • Yesterday, the US Bitcoin ETF had a net inflow of $218 million

    According to HODL15Capital data, yesterday (May 6th), the net inflow of US Bitcoin ETF was 218 million US dollars.

  • The US SEC has submitted sealed documents regarding the lawsuit against Ripple

    On May 7th, former US federal prosecutor James K. Filan disclosed the latest progress in the SEC's lawsuit against Ripple on X platform. The SEC has submitted sealed documents containing its response brief and supporting evidence for remedies. These documents have not been made public yet. The revised version that will be made public is expected to be submitted before Wednesday, May 8th. Other sealed documents will be submitted later.

  • Hong Kong Bitcoin Spot ETF has held 4,388 BTC since its listing

    According to HODL15Capital monitoring, the Hong Kong Bitcoin spot ETF has held 4,388 BTC since its listing.

  • 400 million DOGE transferred from unknown wallet to Robinhood

    Whale Alert monitoring shows that at 09:10:35 Beijing time, 400,000,000 DOGE coins (worth $62,825,933) were transferred from an unknown wallet to Robinhood.

  • Contango Blockchain x AI Fund Completes $5 Million Fundraising

    Contango Digital Assets, a portfolio under Orthogonal Global Group, announced that its blockchain and AI seed fund, Contango Blockchain x AI Fund, has completed a fundraising of $5 million. Investors include the CEO of Quantstamp, the CFO of SingularityNet, the CEO of WonderFi, a general partner of X Ventures, early limited partners of Digital Money Group and Polychain Capital, as well as investors of VANTA DAO. It is reported that the fundraising goal of the fund is $10 million, and it will focus on supporting projects in the decentralized artificial intelligence field in the future. Currently, it has purchased tokens of the telecommunications sharing economy project Minutes Network.

  • SEC v. Ripple case progress: SEC will submit a public redacted version of the remedy response brief and supporting evidence by Wednesday

    Former US federal prosecutor James K. Filan shared the latest developments in the SEC's lawsuit against Ripple on X platform. The SEC has submitted sealed documents, including its response brief and supporting evidence for its remedies. These documents have not been made public yet. The revised public version will be submitted before Wednesday, May 8th. Other sealed documents will be submitted later.

  • LayerZero: Working with Nansen and others to write a Sybil Detection Report

    LayerZero Labs announced that it has been working with Chaos Labs and Nansen to compile a witch detection report. They will consider the total weighted transactions of each user in all LayerZero applications to ensure consistency between TGE, developers, and long-term users. The report will be released after the deadline for self-reporting witches.

Daily Must-Read

Popular Activities

Delysium $AGI & AI Private Yacht Party

Delysium $AGI & AI Private Yacht Party

March 27 - March 27
Seoul

Popular Tags

Cointime
News
Contents
RSS
Company