Analysis Review of Team Finance Exploit
On October 27,2022, the Team Finance project was attacked, resulting in the loss of around $14.5 million in tokens. The SlowMist security team investigated this event and came to the following conclusions:
Contract deployed by the attacker
The contract does not verify the consistency of the migrated and locked tokens. While the remaining tokens will be refunded by the migration algorithm, the attacker can lock an arbitrary token to migrate an LPtoken that does not belong to the attacker in the contract.
- The attacker first passes the transaction 0xe8f17ee00906cd0cfb61671937f11bd3d26cdc47c1534fedc43163a7e89edc6f constructed the lockedToken data of 4 fake tokens.
2. The attacker increases the lockedToken’s lock time. As you can see, the attacker’s preparations have been completed, and these preparations are primarily intended to circumvent the limit judgment of migrate.
3. Through the attacking contract, the attacker invokes the Pool’s migrate function. The incoming parameters indicate that the tokens transferred by the attacker are inconsistent with the token locked by the attacker, which is the root cause of the contract being attacked.
4. Analyzing the parameters reveals that the incoming pair does not match token0 and token1, and because the incoming noLiquidity is true, the v3Migratorv3Migrator.createAndInitializePoolIfNecessary call is made and will generate a false token for the WETH V3 Pool.
5. The newly created contract Pool price sqrtPriceX96 is passed in externally, however, this isn’t the primary reason for this attack. The most critical aspect of this attack is the use of v3Migrator.migrate (params). This function’s purpose is to carry out the migration logic from Uni V2 to Uni V3. The reasoning is as follows:
6. The LP of V2 will be burned in v3Migrator.migrate(params), and the remaining liquidity will be added to the V3 pool according to the migration ratio and transferred back to the migrator. The attacker’s migration ratio is 1, so after the migration is complete, there are still 99% of WETH and 100% of FEG (because fake tokens and WETH are added to increase liquidity), and the logic will transfer the remaining tokens back to the user who performed the migration. As a result, the attacker profits illegally by migrating LPs that do not belong to him.
7. Although the parameters of calling the migration show that the incoming token0, token1, and Pair are the same in the second attack, the root cause of this contract being attacked is that the attacker in the migration function was able to lock any contract. The token migrates the contract’s existing LP. Despite the fact that the incoming token matches the pair parameter, the attacker still burns the USDC-CAW LPToken that does not belong to him by calling v3Migrator.migrate(params), where the number of migrations is only 1%. Therefore, the remaining tokens from the migration are obtained by the attacker.
8. Finally, the attacker uses the same method to take away the LPs of USDC-TSUKA and WETH-KNDX and leave with the stolen funds.
The Team Finance white hat hacker address has returned $13.4 million in digital assets as of this writing.
The root cause for this attack is that the migration function does not verify the token locked by the user and the token of the migration operation. As a result, as long as any token is locked, a migration operation on the contract’s LP can be performed, and the migration of the number is also externally specified. The SlowMist’s Security Team advises that any parameters passed in externally be thoroughly checked to ensure that users can only access their own assets.