A brief analysis of the Cover Protocol hacked event
According to the intelligence of the SlowMist Zone, on December 29, 2020, the price of the Cover agreement plummeted. The SlowMist security team followed up and analyzed related incidents as soon as possible. The following is a brief analysis process.
A brief analysis
1. In the Blacksmith contract of the Cover protocol, users can mortgage BPT tokens through the deposit function;
2. After the first deposit-withdraw, the attacker will update the pool through the updatePool function and use accRewardsPerToken to record the cumulative reward;
3. Later, the reward will be distributed through the _claimCoverRewards function and recorded using the rewardWriteoff parameter;
4. After the attacker’s first withdraw, there is still a small part of BPT for mortgage;
5. At this time, the attacker will deposit for the second time and withdraw the reward through claimRewards;
6. The problem lies in the specific calculation of rewardWriteoff. The Pool value taken when the attacker performs deposit-claimRewards for the second time is defined as memory. At this time, the Pool obtained in memory is the value updated when the attacker performs updatePool withdraw for the first time;
7. Since the Pool value obtained in memory is old, the accRewardsPerToken corresponding to the record is also old and will be assigned to the miner;
8. When a new updatePool is performed later, since the lpTotal in the pool has become smaller after the attacker performs withdraw for the first time, the accRewardsPerToken obtained finally will become larger;
9. At this time, the accRewardsPerToken assigned by the attacker is the old one, which is a small value, and the value obtained during the rewardWriteoff calculation will also be small, but the attacker uses the updated accRewardsPerToken value when performing claimRewards;
10. Therefore, due to the previous difference between the new and old parameters when calculating specific rewards, a larger value will be calculated;
11. Therefore, in the end, when rewards are minted for the attacker based on the calculation results, more COVER tokens will be minted, resulting in additional issuance of COVER tokens.
SlowMist Technology is a company focused on blockchain ecological security. It was founded in January 2018 and is headquartered in Xiamen. It was founded by a team with more than ten years of front-line network security attack-defense experiences, and the team members have created the security project with world-class influence. SlowMist Technology is already a top international blockchain security company, served many global well-known projects mainly through “the security solution that integrated the threat discovery and threat defense while tailored to local conditions,” including: cryptocurrency exchanges (such as Huobi, OKEx, Binance, etc.), cryptocurrency wallets (such as imToken, RenrenBit, MYKEY, etc.), smart contracts (such as TrueUSD, HUSD, OKUSD, etc.), DeFi projects (such as : JUST, BlackHoleSwap, DeFiBox, etc.), the underlying public chain (such as EOS, OKChain, PlatON, etc.), there are nearly a thousand commercial customers, customers distributed in more than a dozen major countries and regions.