Brief analysis of Zabu Finance being hacked

According to the intelligence of the SlowMist Zone, on September 12, 2021, the Zabu Finance project on Avalanche suffered flashloan attack.

  1. The attacker first created two attack contracts, then swapped WAVAX into SPORE tokens through attack contract 1 in Pangolin, and deposited the obtained SPORE tokens to ZABUFarm contract, to prepare for the subsequent acquisition of ZABU token rewards.
  2. The attacker borrowed SPORE tokens from Pangolin flashloan by attack contract 2, and then began to use SPORE tokens to conduct `deposit/withdraw` operations in the ZABUFarm contract. Since SPORE tokens need to charge a certain fee during the transfer process (in the SPORE contract), the amount of SPORE tokens actually received by the ZABUFarm contract is less than the amount of staking passed in by the attacker. However, we noticed that the ZABUFarm contract directly recorded the number of staking that user received, instead of recording the actual number of tokens received by the contract, but the ZABUFarm contract allowed the user to withdraw all the staking recorded by the contract when the user took out the staking quantity. This results in the fact that the amount of SPORE tokens actually received by the attacker in the ZABUFarm contract when staking is less than the amount of tokens transferred out of the ZABUFarm contract to the attacker when the attacker withdraws.
  3. The attacker took advantage of the accounting defect caused by the compatibility between the ZABUFarm contract and the SPORE token, and continuously consumed the SPORE funds in the ZABUFarm contract to a very low value through the `deposit/withdraw` operation. The staking reward of the ZABUFarm contract is calculated by dividing the accumulated block rewards into the total amount of SPORE tokens staking in the contract. Therefore, when the total amount of SPORE tokens in the ZABUFarm contract is reduced to a very low value, it will undoubtedly be calculated a great reward value.
  4. The attacker obtained a large amount of ZABU token rewards through the previously secured attack contract 1 in ZABUFarm, and then sold ZABU tokens.

The attack was caused by the incompatibility between Zabu Finance’s staking model and SPORE tokens. There have been many attacks caused by such issues. The SlowMist security team recommends that the project staking model should record the actual token changes in the contract before and after the transfer when the project staking model is connected to the deflationary token, instead of relying on the number of staking tokens passed in by the user.

Reference:
Attack contract 1: 0x0e65Fb2c02C72E9a2e32Cc42837df7E46219F400
Attack contract 2: 0x5c9AD7b877F06e751Ee006A3F27546757BBE53Dd
Staking transaction:
0xf76b37ed46c218d4b791e9769b139c3e1f43d1888f37ff0a647c7a8bb58528fb
Attack transaction:
0x0d65ce5c7a0c072b14ec5da08488d07778f334a7ddb6b7a30df97f274f3e1eb3
Profitable transaction:
0x8b3042e55a63f39bb388240a089cf4d51e59abe7cb0bff303c6dbb19eaeb75ac

Focuses on Blockchain Ecosystem Security, have served over 1k+ customers.