foreword

Know that Chuangyu Blockchain Security Lab tracked and analyzed this incident for the first time.

Know that Chuangyu Blockchain Security Lab tracked and analyzed this incident for the first time.

basic information

first level title

basic information

As we all know, there are some security issues in the code of the compound project, and the feiprotocol and RariCapital protocols continue to use the compound code base, and at the same time use the reentrant writing method in the implementation of the doTransferOut() method, which leads to the occurrence of the incident.

Therefore, multiple attacks in this incident have the same method, so this article only analyzes one attack.

tx：0xadbe5cf9269a001d50990d0c29075b402bcc3a0b0f3258821881621b787b35c6

CEtherDelegator contract: 0xfbD8Aaf46Ab3C2732FA930e5B343cd67cEA5054C

Vulnerability analysis

first level title

Vulnerability analysis

The most critical point is that the attacker calls the exitMarket() function to exit the loan market after borrowing, and then redeems the collateral. Since the attacker has already exited the market at this time, the protocol will not calculate the loan, so it can Successful redemption of collateral.

attack process

first level title

attack process

1. The attacker uses the flash loan loan and mortgages it into the agreement;

2. The attacker lends ETH and then triggers reentry;

3. Call the exitMarket() function to exit the loan market and take out the collateral;

6. Finally, the attacker repeated the attack method to attack the pool in the agreement, and successfully arbitraged about 80 million US dollars.

Summarize

first level title

Summarize

The core of this attack is that the protocol referenced the compound code library with reentrancy vulnerabilities, which led to reentrancy attacks on the contract.