Cointime

Cointime

Download App
iOS & Android

How Was Rubic Protocol Hacked?

Validated Project

TL;DR

On December 25, 2022, the Rubic protocol was compromised, resulting in a loss of over $1.4 million.

Introduction to Rubic

Rubic is a cross-chain technology aggregator for users and dApps that aggregates various blockchains, different DEXs and bridges, and allows for the exchanging of a wide range of assets.

Vulnerability Assessment

The root cause of the vulnerability is that the Rubic protocol incorrectly added USDC tokens to the Router whitelist, resulting in the theft of USDC tokens from the users authorized to the RubicProxy contract.

Steps

Step 1:

Rubic is a DEX cross-chain aggregator, so users on their platform can swap tokens via a function call in the RubicProxy contract.

Step 2:

During this process, it will first determine whether or not the target Router of the necessary call passed in by the user is included in the protocol’s whitelist.

Step 3:

The user-supplied target Router will be called only after the whitelist check, and the calling data will also be supplied by the user.

Step 4:

As USDC tokens were incorrectly added to the whitelist of the protocol, any user could arbitrarily call USDC tokens through the RubicProxy contract.

Step 5:

The perpetrator used this opportunity to call the USDC contract through a function call, in order to transfer the USDC tokens to their address from the users who had authorized to the RubicProxy contract.

Step 6:

In here, you can view one of the attack transactions carried out by the exploiter, in which USDC tokens from multiple users have been transferred to their addresses.

Step 7:

The attacker sent 1,100 ETH worth of the stolen funds to Tornado Cash.

Aftermath

After the incident, Rubic issued a statement confirming the occurrence of the hack and requested users to revoke their access as soon as possible. The team will undertake audits with two independent agencies in the weeks to come, and approximately 49 affected users will be compensated for their loss.

The team further issued another statement to provide a brief summary of the incident.

Solution

While performing smart contract audits can assist in identifying and addressing potential vulnerabilities, they are insufficient to fully prevent a contract from being hacked. Stringent tests should also be run in simulated scenarios to find any potential programming errors or weaknesses in order to guarantee the security and dependability of a smart contract to a greater extent. These tests ought to replicate a range of circumstances and situations that the contract might experience in the real world, including both anticipated and unforeseen circumstances.

Comments

All Comments

Recommended for you

  • Binance Founder Faces Potential Three-Year Prison Sentence and $50 Million Fine for Money Laundering and Sanctions Violations

    Binance founder Changpeng Zhao has been recommended a three-year prison sentence by federal prosecutors for violating federal money laundering laws and sanctions. The Department of Justice argued that this sentence would hold him accountable for his intentional criminal conduct and send a message to the world. Zhao made a "business decision" to break the law to attract users, build his company, and line his pockets, according to prosecutors. Along with the prison sentence, DOJ lawyers also requested that Zhao pay the $50 million fine he agreed to as part of a plea deal. Zhao, who is a citizen of the UAE and Canada, has been released on a $175 million bond but must remain in the U.S. until his sentencing on April 30.

  • Market News: South Africa authorizes 75 companies as cryptocurrency service providers

    According to Jinshi news, South Africa has authorized 75 companies as cryptocurrency service providers.

  • Indonesian President: $8.6 billion laundered through cryptocurrency in 2021

    According to Golden Finance News, Indonesian President Joko Widodo stated that he has noticed signs of money laundering through cryptocurrency in 2021, amounting to $8.6 billion (IDR 139 trillion). In addition to cryptocurrencies and NFTs, the president emphasized the need to monitor other potential money laundering tools, including virtual assets, market activities, e-currencies, and AI-driven transactions. Mahendra Siregar, Chairman of the Financial Services Authority (OJK) Committee, responded to the President's directive, stating that when cryptocurrency regulation is transferred to the OJK next year, his agency will supervise these issues.

  • BTC breaks through $67,000

    Tthe market shows that BTC has broken through $67,000 and is now trading at $67,025.99, with a daily increase of 1.12%. The market is volatile, please be prepared for risk control.

  • Bitcoin spot ETF had a total net inflow of $31.6354 million yesterday, and the ETF net asset ratio reached 4.27%

    According to SoSoValue data, the total net inflow of Bitcoin spot ETF was $31.6354 million on April 23 (US Eastern Time).Grayscale ETF GBTC had a net outflow of $66.8838 million on April 23, and the historical net outflow of GBTC is $16.833 billion.The Bitcoin spot ETF with the highest net inflow on April 23 was BlackRock ETF IBIT, with a net inflow of $37.9233 million in a single day, and the historical total net inflow of IBIT has reached $15.479 billion.The second highest was the ARKB ETF from Ark Invest and 21Shares, with a net inflow of $33.282 million in a single day, and the historical total net inflow of ARKB has reached $2.267 billion.As of now, the total net asset value of Bitcoin spot ETF is $55.82 billion, and the ETF net asset ratio (the proportion of market value to the total market value of Bitcoin) is 4.27%, with a historical cumulative net inflow of $12.416 billion.

  • CZ announces Giggle Academy logo and design ideas

    CZ has released the Giggle Academy Logo and its design concept. He hopes that the logo can showcase youthfulness, fun, positive energy, and growth while continuing the "Binance tradition":

  • Ethereum liquidity re-staking agreement TVL exceeds US$9.4 billion, of which Renzo TVL increased by 12.34% in 7 days

    DeFiLlama data shows that the TVL of Ethereum's liquidity re-staking protocol has risen to $9.445 billion. The top five protocols ranked by TVL are:

  • MEME sector rose across the board, and BONK rose 81.4% in the past 7 days

    Golden Finance reported that according to data, the current market value of MEME coin is 57.872 billion US dollars, with a 24-hour increase of 2.1%. In addition, in the past 24 hours, the global trading volume of Meme coin has reached 5.6 billion US dollars. Among them:

  • Grayscale Ethereum Trust to be listed on NYSE Arca

    Grayscale Ethereum Trust (Grayscale ethereum trust) plans to go public on the NYSE Arca (New York Stock Exchange Growth Board Market) with the code "ETHE".

  • GBTC had a net outflow of US$67 million yesterday, and IBIT had a net inflow of US$37.8 million

    According to HODL15Capital data, on April 23, GBTC had a net outflow of $67 million, while the Belad IBIT had a net inflow of $37.8 million, EZBC had a net inflow of $2 million, and BITB had a net inflow of $23 million. Based on current data, only $4.2 million is needed for net inflows for spot Bitcoin ETFs.

Daily Must-Read

Popular Activities

Delysium $AGI & AI Private Yacht Party

Delysium $AGI & AI Private Yacht Party

March 27 - March 27
Seoul

Popular Tags

Cointime
News
Contents
RSS
Company