Background
On March 14, 2024, according to an alert from the SlowMist MistEye security monitoring system, the decentralized lending protocol MOBOX on the Optimism blockchain was attacked, resulting in a loss of approximately $750,000. The SlowMist Security Team has conducted an in-depth analysis of this incident and shares their findings as follows:
Related Information
Attacker Addresses:
- 0x4e2c6096985e0b2825d06c16f1c8cdc559c1d6f8
- 0x96f004c81d2c7b907f92c45922d38ab870a53945
Attacked Contract Address:
- 0xae7b6514af26bcb2332fea53b8dd57bc13a7838e
Attack Transaction:
- 0x4ec3061724ca9f0b8d400866dd83b92647ad8c943a1c0ae9ae6c9bd1ef789417
Attack Method:
The core of this attack involved two main aspects. First, the attacker exploited a vulnerability in the contract’s `borrow()` function, which triggered a reward distribution to the referrer’s address each time it was called. The calculation of the reward was based on the amount of tokens transferred, allowing the attacker to increase the amount of the next loan by transferring the reward back to the attacked contract. Second, each call to the `borrow()` function burned a portion of the MO tokens in the pool, continuously driving up the price of MO tokens. As a result, the attacker was able to profit by repeatedly borrowing and stacking rewards.
Transaction Analysis
The entire attack process primarily involved repeatedly exploiting a vulnerability by cyclically calling the flawed `borrow()` function, immediately followed by redeeming the loan through the `redeem()` function, and then transferring the tokens allocated as a referral bonus back to the attack contract.
On closer analysis of the `borrow()` function, it is observed that each call to this function resulted in the burning of a portion of MO tokens from the pool.
However, the amount of USDT loaned was calculated based on the price of the MO tokens in the pool. As the burning of MO tokens continuously increased their price, the attacker was able to borrow a large amount of USDT with only a small quantity of MO tokens.
Moreover, each borrowing action awarded a dividend reward to a referrer’s address, and the size of this reward was calculated based on the amount of MO tokens provided.
Since the referrer’s address was also controlled by the attacker (`0x96f004c81d2c7b907f92c45922d38ab870a53945`), the attacker was able to transfer the reward back after each loan transaction, thus amplifying the amount and rewards for subsequent loans.
Through these cyclic operations, the attacker was able to inflate the price of MO tokens significantly. Ultimately, with only a small amount of MO tokens, the attacker could borrow large sums of USDT from the contract and then exchange all the USDT in the now unbalanced pool for a profit.
Summary
The core of this attack was the exploitation of the `borrow()` function’s mechanism, where part of the tokens in the pool were burned, continually borrowing assets to inflate the price of the tokens in the pool and gaining referrer rewards. The attacker then transferred these tokens back to themselves to borrow again, thus continuously stacking rewards and manipulating prices. The SlowMist Security Team recommends that project developers include lock-up period restrictions in similar functional routines and consider a variety of factors when designing the lending price model to prevent similar incidents from occurring.
About SlowMist
At SlowMist, we pride ourselves on being a frontrunner in blockchain security, dedicating years to mastering threat intelligence. Our expertise is grounded in providing comprehensive security audits and advanced anti-money laundering tracking to a diverse clientele. We’ve established a robust network for threat intelligence collaboration, positioning ourselves as a key player in the global blockchain security landscape. We offer tailor-made security solutions that span from identifying threats to implementing effective defense mechanisms. This holistic approach has garnered the trust of numerous leading and recognized projects worldwide, including names like Huobi, OKX, Binance, imToken, Crypto.com, Amber Group, Klaytn, EOS, 1inch, PancakeSwap, TUSD, Alpaca Finance, MultiChain, and Cheers UP. Our mission is to ensure the blockchain ecosystem is not only innovative but also secure and reliable.
We offers a variety of services that include but are not limited to security audits, threat intelligence, defense deployment, security consultants, and other security-related services. We also offer AML (Anti-money laundering) solutions, Vulpush (Vulnerability monitoring) , SlowMist Hacked (Crypto hack archives), FireWall.x (Smart contract firewall) , Safe Staking and other SaaS products. We have partnerships with domestic and international firms such as Akamai, BitDefender, FireEye, RC², TianJi Partners, IPIP, etc.
By delivering a comprehensive security solution customized to individual projects, we can identify risks and prevent them from occurring. Our team was able to find and publish several high-risk blockchain security flaws. By doing so, we wish to help spread awareness and raise the security standards in the blockchain ecosystem.