Cointime

Cointime

Download App
iOS & Android

How Was Rubic Protocol Hacked?

Validated Project

TL;DR

On December 25, 2022, the Rubic protocol was compromised, resulting in a loss of over $1.4 million.

Introduction to Rubic

Rubic is a cross-chain technology aggregator for users and dApps that aggregates various blockchains, different DEXs and bridges, and allows for the exchanging of a wide range of assets.

Vulnerability Assessment

The root cause of the vulnerability is that the Rubic protocol incorrectly added USDC tokens to the Router whitelist, resulting in the theft of USDC tokens from the users authorized to the RubicProxy contract.

Steps

Step 1:

Rubic is a DEX cross-chain aggregator, so users on their platform can swap tokens via a function call in the RubicProxy contract.

Step 2:

During this process, it will first determine whether or not the target Router of the necessary call passed in by the user is included in the protocol’s whitelist.

Step 3:

The user-supplied target Router will be called only after the whitelist check, and the calling data will also be supplied by the user.

Step 4:

As USDC tokens were incorrectly added to the whitelist of the protocol, any user could arbitrarily call USDC tokens through the RubicProxy contract.

Step 5:

The perpetrator used this opportunity to call the USDC contract through a function call, in order to transfer the USDC tokens to their address from the users who had authorized to the RubicProxy contract.

Step 6:

In here, you can view one of the attack transactions carried out by the exploiter, in which USDC tokens from multiple users have been transferred to their addresses.

Step 7:

The attacker sent 1,100 ETH worth of the stolen funds to Tornado Cash.

Aftermath

After the incident, Rubic issued a statement confirming the occurrence of the hack and requested users to revoke their access as soon as possible. The team will undertake audits with two independent agencies in the weeks to come, and approximately 49 affected users will be compensated for their loss.

The team further issued another statement to provide a brief summary of the incident.

Solution

While performing smart contract audits can assist in identifying and addressing potential vulnerabilities, they are insufficient to fully prevent a contract from being hacked. Stringent tests should also be run in simulated scenarios to find any potential programming errors or weaknesses in order to guarantee the security and dependability of a smart contract to a greater extent. These tests ought to replicate a range of circumstances and situations that the contract might experience in the real world, including both anticipated and unforeseen circumstances.

Comments

All Comments

Recommended for you

  • SlowMist: Beware of watering hole attacks launched by malicious attackers using WordPress plugin vulnerabilities

    SlowMist Security has issued a warning that attackers have recently been exploiting vulnerabilities in WordPress plugins to inject malicious JS code into normal websites and launch watering hole attacks. These attacks involve popping up malicious windows when users visit the site, deceiving them into executing malicious code or performing Web3 wallet signatures, thereby stealing their assets. It is recommended that sites using WordPress plugins check for vulnerabilities, update plugins in a timely manner, and avoid being attacked. When visiting any website, users should carefully identify the downloaded programs and Web3 signature content to avoid downloading malicious programs or having their assets stolen due to malicious signatures.

  • Unverified Ember Sword NFT auction contract vulnerability has caused nearly $200,000 in losses

    Certik has discovered a vulnerability in the unverified Ember Sword NFT auction contract, which has earned 60 WETH (approximately $195,000) from 159 victims who approved the contract. Certik reminds users to revoke their approval of the relevant contract on Polygon.

  • zkSync ecological lending platform xBank Finance suspected of RUG

    xBank Finance, a zkSync ecosystem lending platform, was suspected of being a RUG, and the protocol's TVL was close to zero. The project's official Twitter account has been frozen.

  • Scammers use fake USDT balances to defraud cryptocurrency users

    SlowMist has partnered with Imtoken to uncover a new cryptocurrency scam that uses offline transactions and USDT. Scammers manipulate the Ethereum RPC to falsify the USDT balance in the victim's wallet. The scammer lures the victim to change their Ethereum RPC URL to a URL controlled by them, making it appear that the victim has deposited USDT funds, but in reality, the victim is left empty-handed when attempting to trade. In addition, the scam also deceives users through small transfers to gain trust, then manipulates account balances and contract information, posing serious risks to unsuspecting users and is related to a wider range of pig slaughter scam activities.

  • Cointime April 27th News Express

    1. ETH falls below $3,100

  • HKEX: Accepts BOS HashKey, Huaxia, Harvest Bitcoin and Ethereum ETFs as eligible securities for multiple counters in the central clearing system

    On April 27th, the Hong Kong Stock Exchange issued three notices, announcing the inclusion of Bo Shi HashKey Bitcoin ETF shares and Bo Shi HashKey Ethereum ETF shares, Huaxia Bitcoin ETF shares and Huaxia Ethereum ETF shares, and Jia Shi Bitcoin Spot ETF shares and Jia Shi Ethereum Spot ETF shares as Central Clearing System multi-counterparty eligible securities. It is reported that:

  • Russia’s Central Bank and Rosfinmonitoring unveil pilot of fiat-to-crypto tracking system

    According to reports, since 2023, Russia has been trying to track cryptocurrency transactions and their sources. The Russian Central Bank and the Federal Financial Monitoring Service (Rosfinmonitoring) revealed that there is currently a system that allows private banks to track the connection between fiat-based transactions and cryptocurrency business.

  • PolkaWorld: Coretime trading on Kusama has started

    On April 27th, PolkaWorld announced that Coretime trading on Kusama has begun, marking the end of the era of parallel chains. With the approval and implementation of Kusama proposal 373, the proposal will upgrade the Kusama relay chain runtime to v1.2.0 and bring Coretime functionality. Shortly thereafter, the Kusama community approved Kusmaa proposal 375 last Friday, allowing Coretime chain to begin selling Coretime. Currently, Kusama is in the Renew Period and is selling batches of Coretime.

  • Over $155 million worth of MEME will be unlocked on May 3, accounting for 31.96% of the circulating supply

    According to Token Unlocks data, 5.31 billion MEME tokens, worth over $155 million, will be unlocked on May 3, 2024, accounting for 31.96% of the circulating supply. These tokens will be unlocked and distributed to airdrops, advisors, and investors.

  • The total open interest of BTC options is $17.83 billion, and the open interest of ETH options is $8.07 billion.

    Coinglass data shows that the nominal value of unclosed BTC option positions on the entire network is 17.83 billion US dollars, which is the lowest point since February 26; the nominal value of unclosed ETH option positions is 8.07 billion US dollars, which is the lowest point since February 25.

Daily Must-Read

Popular Activities

Delysium $AGI & AI Private Yacht Party

Delysium $AGI & AI Private Yacht Party

March 27 - March 27
Seoul

Popular Tags

Cointime
News
Contents
RSS
Company