Cointime

Cointime

Download App
iOS & Android

Decoding Sentiment Protocol’s $1 Million Exploit | QuillAudits

Validated Project

Summary:

On April 4th, the Sentiment Protocol on the Arbitrum Chain experienced an attack due to a read-only reentrancy vulnerability. The attackers exploited this vulnerability, stealing approximately $1 million. Fortunately, the attacker returned around 90% of the stolen funds.

About Sentiment:

Sentiment is a liquidity protocol on the Arbitrum Chain that allows for on-chain, permissionless, undercollateralized borrowing. Similar to existing DeFi lending markets, Sentiment lenders supply capital, which is then loaned to borrowers as debt.

Vulnerability Analysis & Impact:

On-Chain Details:

Attacker Address: 0xdd0cdb4c3b887bc533957bc32463977e432e49c3 Attacker Contract: 0x9f626f5941fafe0a5b839907d77fbbd5d0dea9d0 Victim Contract: 62c5aa8277e49b3ead43dc67453ec91dc6826403

Attack Transaction: 0xa9ff2b587e2741575daf893864710a5cbb44bb64ccdc487a100fa20741e0f74d

The Root Cause:

The root cause is a view-only reentrancy bug exposed in balancer pools when removing liquidity with one of the return tokens being ETH. Since the entry point is a non-mutating view call it cannot be protected by a reentrancy guard, allowing the caller to take control of execution and run arbitrary code. The attacker was able to execute a malicious contract before updating the pool balances. This allowed them to steal funds by using overpriced collateral.

Full Resolution Image

Attack Steps:

Attack Process:

  • The attacker began by taking out a flash loan of 606 WBTC, 10,130 WETH, and 18 million USDC tokens from the sentiment lending pool.
  • The attacker initiates the attack by calling the joinPool() function of the Balancer Vault to make a deposit. After this, they call exitPool() to withdraw their funds. During the withdrawal process, the Balancer Vault triggers the fallback function of the attack contract.
  • In the fallback function, the attacker calls the borrow function of the 0x62c5 Proxy contract. This function calculates the price based on the return data from Balancer Vault.getPoolTokens(). As a result, the total supply of LP tokens decreases, but the recorded balances of the tokens in the pool are not updated. This causes the token prices to become imbalanced, allowing the attacker to borrow multiple assets at a lower price.
  • Finally, the attacker returned the borrowed funds, along with premiums, and made a profit of approximately $1 million. The attacker bridged the funds from Arbitrum Chain to Ethereum. 

The flow of Funds:

The hacker returned $900,000 (90%) to the protocol and kept the rest as a bounty. They transferred the bounty to Tornado Cash.

Incident Timelines

05.04.2023: The sentiment team announced the hack through a tweet. The contract was paused to prevent further losses. They also announced that they are working with authorities and security firms to secure funds, recover stolen assets, and investigate the exploit.

05-04-2023: The team offered a $95K reward to the hacker if they returned the assets by 8 AM UTC on April 6. Otherwise, the reward will be given to anyone with relevant information about the hacker.

06-04-2023: The Sentiment team announced that they successfully negotiated with the exploiter to return 90% of the hacked funds. A few hours later, they released a statement saying that they had recovered $900,000 from the exploit.

07-04-2023: Sherlock paid out $50K, which is 75% of the remaining losses after the hacker returned 90% of the funds. They further stated that they would claim the last 25% of the loss with their partner, NexusMutual.

8–04–2023: The Sentiment team announced that they had recovered 100% of the funds from the exploit.

11–04–2023: They released a brief summary of the exploit and how they overcame it, restoring the protocol to 100% solvency and full capacity.

How they could have prevented the Exploit?

When developing smart contracts, it is crucial to consider integrations and security solutions that are relevant to the project. To mitigate this issue, it is recommended to use Balancer’s VaultReentrancyLib. By calling ensureNotInVaultContext(vault), a noop call to the vault is performed, which will fail if an attacker attempts a read-only reentrancy attack.

Reproducing the hack:

We will be using the Foundry framework for POC.(Add the Arbitrum Mainnet RPC URL in foundry.toml file and run the test using the command forge test -vvv)

The exploit PoC link can be found here.

Read more: https://quillaudits.medium.com/decoding-sentiment-protocols-1-million-exploit-quillaudits-f36bee77d376

Comments

All Comments

Recommended for you

  • Cointime MAY 1 News Express

    1.Celsius Network destroys 94% of total supply of CEL, worth over $89 million2.USDC Treasury destroyed more than 200 million USDC3.Pike was suspected of being hacked and lost 479 ETH4.Fantom launches $6.5 million development fund, betting on safer memecoins5.Yesterday, the U.S. spot Bitcoin ETF had a net outflow of $162 million6.The balance of Binance Bitcoin wallet increased by 6249.36 in the past 24 hours, and 15565.89 inflows in the past 7 days7.In April, NFT sales on the Bitcoin chain exceeded US$685 million, setting the third highest monthly record in history8.On-chain content distribution agreement Metale Protocol completes additional $2 million in seed round financing9.A whale deposited 1,140 MKR into Coinbase, losing about $1.1 million10.The Bitcoin stablecoin project, bitSmiley, goes live with its Alphanet V1, marking its debut deployment on the Bitcoin Layer 2 network, Bitlayer.

  • Barcelona-based Web3 Video Games Startup GFAL Raises $3.2M in Seed Funding to Expand Team and Accelerate Production Plans

    Barcelona-based startup GFAL has secured $3.2 million in seed funding from investors including Supercell Ltd and Mitch Lasky. The company plans to use the funds to expand its team and accelerate its game production plans, which leverage AI and Web3 technology for immersive gameplay. GFAL's Elemental Raiders mobile game soft-launched in March 2023, with plans to build on this for a 2024 launch. CEO Manel Sort expressed gratitude for the investment and excitement to work with former colleagues from Digital Chocolate.

  • BTC falls below $58,000

    Golden Finance reported that according to OKX market data, BTC briefly touched $57,700 and is now trading at $58,581.53, with a daily decline of 7.15%. The market is volatile, so please be prepared for risk management.

  • On-chain content distribution agreement Metale Protocol completes additional $2 million in seed round financing

    Metale Protocol, a content distribution protocol on the blockchain, announced the completion of an additional $2 million seed round of financing. Waterdrip Capital led the investment, with participation from Aipollo Investment and Ultiverse. As of now, the total size of its seed round financing has reached $4 million. Metale Protocol was formerly known as Read2N, a Web3 decentralized reading application. The new funds will be allocated to its content creation fund to stimulate more content creation activities and promote the construction of its protocol as a platform for issuing and distributing content assets on the blockchain.

  • DWF Ventures announces investment in blockchain game developer Overworld

    DWF Ventures announced an investment in Overworld, a chain game developer. Overworld recently announced plans to launch another NFT series, and in addition, Overworld will soon launch the main world arena.

  • Cryptool invests $2 million in digital currency trading platform Bittime

    On May 1st, investment firm Cryptool invested $2 million in cryptocurrency trading platform Bittime in Series A funding. Founded in 2017, Cryptool focuses on first and second-level investments in digital currency, with a total investment of $30 million by 2023.

  • BlackRock BUIDL reaches $375 million, surpassing Franklin Templeton to become the largest tokenized Treasury fund

    CoinDesk, on-chain data shows that BlackRock's BUIDL fund grew by $70 million last week, bringing its total size to $375 million, surpassing Franklin Templeton to become the largest tokenized government bond fund.

  • Backed raises $9.5 million in funding round led by Gnosis for tokenization of real-world assets

    Backed, a Switzerland-based tokenized asset issuer, has raised $9.5 million in a funding round led by Gnosis. The company aims to speed up its private tokenization offering and onboard asset managers to blockchain rails with the investment. Tokenization of real-world assets is becoming increasingly popular, with the market for RWAs predicted to reach $10 trillion by the end of the decade. Backed has already issued over $50 million worth of tokenized RWAs, including ERC-20 compatible token versions of exchange-traded funds and individual stocks like Coinbase and Tesla.

  • London-based X10 raises $6.5M to expand hybrid crypto exchange operations

    London-based hybrid crypto exchange company X10 has raised $6.5m in funding from investors including Tioga Capital, Semantic Ventures, Cherry Ventures, Starkware, and Cyber fund, as well as executives from Revolut and the founder of Lido, Konstantin Lomashuk. The funds will be used to expand operations and development efforts. X10 offers a hybrid model that combines the centralized exchange experience with the benefits of DeFi, including on-chain trade settlement, validation, and self-custody. The exchange also provides a customizable web interface, advanced market and portfolio analytics, and premier on- and off-ramping options provided through trusted global partners.

  • Hong Kong Monetary Authority: Crypto assets (especially stablecoins) are one of the key work priorities in 2024

    Hong Kong Monetary Authority (HKMA) official website released the "2023 Annual Report", which includes the financial statements of foreign exchange funds and its "2023 Sustainable Development Report". The 2024 work focus and outlook section of the annual report includes encrypted assets (especially stablecoins), and the HKMA pointed out that public consultations on regulating stablecoin issuers will be conducted from December 2023 to February 2024. The HKMA will work with the government to promote relevant legislative work and will continue to communicate with different stakeholders in formulating and implementing relevant regulatory regimes, as well as paying attention to market developments and relevant international discussions. At the same time, the HKMA will implement a stablecoin "sandbox" arrangement to promote exchanges of views with the industry on proposed regulatory regimes and requirements, and to enhance the stability, cryptographic assets, and financial innovation of non-bank financial intermediaries. The HKMA will focus on virtual asset-related products and will refer to the latest market developments and revisions to international standards in the relevant processes. To promote sustainable and responsible development of the virtual asset industry, the HKMA will continue to work with the government and other regulatory agencies to ensure the establishment of a robust, comprehensive, and balanced regulatory framework for the virtual asset industry.

Daily Must-Read

Popular Activities

Delysium $AGI & AI Private Yacht Party

Delysium $AGI & AI Private Yacht Party

March 27 - March 27
Seoul

Popular Tags

Cointime
News
Contents
RSS
Company