In the latest DeFi hack, stablecoin stabilizing protocol Pickle Finance was exploited on 21-11-2020 06:37 PM (UTC) for nearly $20M. It is notable because analysts are terming it as the most complex DeFi exploit ever, as pDAI jar was hacked with skill-full mastery. The system was gamed using multiple flaws, including Jar swap and Jar convert logic in an extremely sophisticated code execution.
Following the attack, users were advised to withdraw funds from Pickle Jars and wait for the next updates. The team has now confirmed that the attack has been reverse engineered and relevant system modules have been patched to defend against this attack vector, in the future.
Banteg Reveals Details Of The Attack
Yearn.Finance developer Banteg was one of the white hat hackers assisting the team with the investigation and fixed. He has since then posted a detailed explanation of the attack. It is every evident that the hacker (s) had a deep understanding of the smart contract logic and execution. The following information was taken from the Github entry.
- Deploy two Evil Jars
- Get the amount available to withdraw from StrategyCmpdDaiV2
ControllerV4.swapExactJarForJar()passing the Evil Jars and the amount retrieved in the previous step.
ControllerV4.swapExactJarForJar()doesn’t check the Jars and calls them, withdrawing from
StrategyCmpDAIV2.withdrawForSwap()which ultimately uses
StrategyCmpDAIV2.deleverageToMin(). This transfers 19M DAI to pDAI.
pDAI.earn()3 times. This invokes a Compound deposit via
StrategyCmpDAIV2.deposit(), leading to the contract receiving cDAI.
StrategyCmpdDAIV2now has an equivalent of 19M in cDAI.
- Deploy 3 more evil contracts, the first one being the equivalent of FakeUnderlying in our replicated exploit and the other two Evil Jars.
ControllerV4.swapExactJarForJar()passing the Evil Jars, no amount and a
CurveProxyLogicas target with a crafted data which allowed an injection to call the equivalent
StrategyCmpDAIV2and a crafted signature which leads to withdrawal of cDAI and transferring them to
- The funds (in cDAI) are now in the Controller, it calls the
EvilJar.deposit()which transfer the funds to the attacker smart contract.
- The attacker smart contract redeems cDAI for DAI from Compound and transfers DAI to the attacker EOA.
Implications For DeFi Protocols Design And Security
DeFi protocols are generally famous for “move fast and break things” ethos. The developer teams in this space are known to experiment with code and deploy unaudited code without much protection. Lately, this has resulted in massive fund losses, no doubt largely borne by the users. Even if the code is audited even by multiple teams, there is no guarantee that it’s 100% secure.
DeFi teams need to apply a multi-disciplinary strategy, bringing together elements of finance, game theory, tokenomics, smart contract design and logic. They also need to make certain that going forward relevant safeguards are present to enforce limits and insurance has been acquired, in order to protect against such exploits.
Shiba Inu to Reach 1$ soon? This New Upcoming Development Proves it Right
Balancer Pools Get Drained Off $500K Through STA Exploit, Team Reimburses
THORChain Contract Problems – Approvals Can Drain RUNE Balance
Big News: Ripple Price is about to TRIPLE? This News Confirms…
Origin Protocol Hacked For $7 Million
Bondly Got Hacked For Millions And The Team Has No Idea Why!
Revealed: The ‘Unknown’ dev who detected the BCH Bug
Shiba Inu Price Prediction: How High can SHIB Price reach by 2030?
THORChain Hacked For $8M Again, Whitehack Suspected
Ethereum Feb 2020 Stats Released By ConsenSys
The Big Ripple Price Prediction for 2023 – How high can the XRP price go in 2023?
Is EOS Corrupt? Is EOS Hacked?
Lightning Network Can Be Paralyzed With 0.25 BTCs Spend, Research Shows
Yearn Finance (YFI) Deploys NFTs Venture Eminence, Gets Exploited Within Hours
Can Shiba Inu Price Reach 10 Cents?
A Major Bug In Bitcoin Core Could Have Crashed the Whole Network
Crypto Market: Bora +262%, Avanti, Warren Buffet, $250K BTC etc.
Ripple Price Prediction – How High will XRP reach in 2050?
Edward Snowden Likes Zcash
German Ministry Of Finance Makes Statement On Programmable Digital Euro
What Happened with the Solana Hack? Quick Explanation
More from Blockchain
How High will XRP Price reach after Ripple wins the SEC Lawsuit? XRP 3$?
Will we then see a price explosion from the XRP coin to $3 if Ripple wins the SEC lawsuit? Let's …
Top 5 Crypto-Friendly Banks for Investors and Enthusiasts
Cryptocurrencies have been gaining mainstream adoption in recent years, but not all banks are equally supportive. If you're looking for …
Shiba Inu Price to EXPLODE as Shibarium Burns 70% of Base Fee?
Will Shiba inu price increase and skyrocket again? Where will Shiba Inu price reach? What's new with Shiba Inu?