Editor's Note: This article comes fromBabbitt Information (ID: bitcoin8btc)Editor's Note: This article comes from

Babbitt Information (ID: bitcoin8btc)

Babbitt Information (ID: bitcoin8btc)

, Author: rekt, Compiler: Free and Easy, released with authorization.

Note: This Saturday, the DeFi protocol Pickle Finance was hacked for $20 million due to the loopholes in its Jar strategy. Since then, a temporary team composed of Rekt, Stake Capital team members, samczsun and other white hat The remaining vulnerable user funds of 50 million US dollars in the protocol were rescued, and the author Rekt summarized the incident.

The financial ferment continues, and even pickles have a shelf life.

Pickle Finance was hacked for 19.7 million DAI due to a fake "Pickle jar" vulnerability.

Pickle Finance has become the latest victim of the hacking pandemic.

This time, however, something is different...

As people on Twitter tried to come to terms with another financial disaster, Rekt launched an investigation.

We reached out to the Stake Capital team who reviewed the code and warned us that other pickle jars may be at risk.

We quickly reached out to the Pickle Finance team and set up a war room between members of Sketch Capital (@bneiluj, @vasa_developer) and experienced developers @samczsun, @emilianobonassi.

After our investigation, it became clear that we were looking at something very different from the DeFi LEGO style hacks of recent weeks.

This is not an arbitrage.

The attacker has a good understanding of Solidity and the EVM, and may have been paying close attention to the Yearn code for a while, as this vulnerability is similar to the one discovered in Yearn a month ago.

Essentially, Pickle Jar is a fork of Yearn yVaults, and these Jars are controlled by a contract called the Controller, which has a function that allows users to exchange assets between Jars.

Unfortunately, Pickle doesn't have a whitelist of which Jars are allowed to use this swap.

The hacker created a fake Pickle Jar and exchanged the funds in the original Jar. This is possible because swapExactJarForJar does not check for "whitelisted" jars.

The Pickle Finance team knew they needed help and were more than willing to work with others to prevent any further damage.

Pickle tried to call the "withdrawAll" function, but the transaction failed.

This withdrawal request needs to go through the governance DAO, which has a 12-hour timelock.

Only members of a Pickle multisig group had the ability to bypass this timelock while they were sleeping.

This means managers can't empty the Pickle Jar, but it doesn't protect them from another hack.

• Pickle Finance and Curve then issued warnings asking users to withdraw funds from Pickle immediately, however, $50 million remained in the potentially vulnerable Pickle jar, while the White Hat team investigated the breach and checked the balance of the remaining funds. safety.

• The rescue team must either wake up the sleeping admin, or drain the jars themselves.

• The squad had to overcome 5 major challenges:

• Have the Pickle Finance team come together across multiple timezones to rescue funds by pushing transactions to 12 hour timelocks (via 3 out of 6 multisigs) to withdraw funds;

• Let thousands of investors withdraw their funds (and prevent them from reinvesting when the pool TVL drops and APY balloons above 1000%);

Do a security check on other jars to see if there are more attacks that might happen;

Before anyone attacks these jars again, replicate the attack and move the funds out;

Avoid front-running while trying to salvage the remaining $50 million in funds;

The attackers are clearly more aligned in their motivations than the protectors, so why would white hat hackers coordinate such an arduous counterattack?

analyze

It is not sustainable that the credit goes to the white hats and the money goes to the hackers.

How long will it take for these white hats to turn black?

analyze

The diagram below was created by @vasa_develop.hereturn up.

hereinvestigative report。

For more details, please refer to the officialhereinvestigative report

It will be interesting to see how relatively new insurance protocol Cover Protocol handles this event, which is a huge sum for their first claim. you can at

here

Find snapshot polls for insurance claims.

Pickling pickles is a slow process.

For decades, advocates of "agile development" have been telling developers to move fast, fail fast, and ship a minimum viable product.

These ideas are not suitable for building in a hostile environment.

Failing fast in DeFi comes at a huge cost.

We don't need another approach, we need a paradigm shift that allows rapid iteration while reducing the likelihood of being attacked.

Let's stop thinking that "you have an audit and you have security", in most cases it is a snapshot of checklist-style security measures applied to moving targets that often evolve into something else.

Audits of MixBytes (Oct. 3) and Haechi (Oct. 20) were done before the addition of ControllerV4 (Oct. 23), one of the key vectors for this attack.