Cointime

  • BTC $16830.35 -0.02 %
  • ETH $1232.74 -0.13 %
  • BCH $109.50 0.00 %
  • SOL $13.50 -0.07 %
  • XRP $0.39 -0.18 %
  • BNB $285.20 0.00 %

DFX Finance Smart Contract Vulnerability Explained

Cointime Staff· 4 min read

by Shashank

Overview:

On 11th November 2022, a Re-entrancy attack occurred, which resulted in draining a total of ~$7.5M from DFX Finance’s Polygon liquidity pools. The attacker could only transfer $4.3 million worth of assets into their wallet. The remaining portion–about $3.2 million– was extracted by an MEV bot in a front-running transaction, also called a sandwich attack.

Smart Contract Hack Overview:

  • Attacker’s address: 0x14c1
  • DFX Finance Code: 0x8888
  • MEV Bot Address & transaction: 0x6c6b
  • MEV Bot’s wallet address: 0xfde
  • Unconventional ordering transaction Block: 15941904
  • MEV Bot & wallet transaction address analysis: 0xfde0d

GitHub code link:

Decoding the Smart Contract Vulnerability:

Series of transactions connected to the wallet and MEV bot
DFX Finance Smart Contract Vulnerability
  • Because there was no outstanding amount at the attacker’s address, the transactions satisfied the validation when the transaction pair contract’s balance was checked, bypassing the necessity for transaction pair checks to pay back the flash loan. Link
  • The withdraw () function had a Re-entrancy protection modifier which could not be triggered since the flash loan was completed but the lptokens deposited by the attacker still existed in the lending contract, which actually belonged to the attacker, thus allowing an attacker to call the emergencyWithdraw() function any number of time until attacker withdraw all the deposited tokens.
  • Due to the MEV bots being activated, the attacker lost a significant amount of money to the owner of those bots and was only able to recover about $4M in stolen money.

All Comments