Brief analysis of Zabu Finance being hacked

According to the intelligence of the SlowMist Zone, on September 12, 2021, the Zabu Finance project on Avalanche suffered flashloan attack.

  1. The attacker first created two attack contracts, then swapped WAVAX into SPORE tokens through attack contract 1 in Pangolin, and deposited the obtained SPORE tokens to ZABUFarm contract, to prepare for the subsequent acquisition of ZABU token rewards.
  2. The attacker borrowed SPORE tokens from Pangolin flashloan by attack contract 2, and then began to use SPORE tokens to conduct `deposit/withdraw` operations in the ZABUFarm contract. Since SPORE tokens need to charge a certain fee during the transfer process (in the SPORE contract), the amount of SPORE tokens actually received by the ZABUFarm contract is less than the amount of staking passed in by the attacker. However, we noticed that the ZABUFarm contract directly recorded the number of staking that user received, instead of recording the actual number of tokens received by the contract, but the ZABUFarm contract allowed the user to withdraw all the staking recorded by the contract when the user took out the staking quantity. This results in the fact that the amount of SPORE tokens actually received by the attacker in the ZABUFarm contract when staking is less than the amount of tokens transferred out of the ZABUFarm contract to the attacker when the attacker withdraws.
  3. The attacker took advantage of the accounting defect caused by the compatibility between the ZABUFarm contract and the SPORE token, and continuously consumed the SPORE funds in the ZABUFarm contract to a very low value through the `deposit/withdraw` operation. The staking reward of the ZABUFarm contract is calculated by dividing the accumulated block rewards into the total amount of SPORE tokens staking in the contract. Therefore, when the total amount of SPORE tokens in the ZABUFarm contract is reduced to a very low value, it will undoubtedly be calculated a great reward value.
  4. The attacker obtained a large amount of ZABU token rewards through the previously secured attack contract 1 in ZABUFarm, and then sold ZABU tokens.

The attack was caused by the incompatibility between Zabu Finance’s staking model and SPORE tokens. There have been many attacks caused by such issues. The SlowMist security team recommends that the project staking model should record the actual token changes in the contract before and after the transfer when the project staking model is connected to the deflationary token, instead of relying on the number of staking tokens passed in by the user.

Reference:
Attack contract 1: 0x0e65Fb2c02C72E9a2e32Cc42837df7E46219F400
Attack contract 2: 0x5c9AD7b877F06e751Ee006A3F27546757BBE53Dd
Staking transaction:
0xf76b37ed46c218d4b791e9769b139c3e1f43d1888f37ff0a647c7a8bb58528fb
Attack transaction:
0x0d65ce5c7a0c072b14ec5da08488d07778f334a7ddb6b7a30df97f274f3e1eb3
Profitable transaction:
0x8b3042e55a63f39bb388240a089cf4d51e59abe7cb0bff303c6dbb19eaeb75ac

--

--

--

SlowMist is a Blockchain security firm established in 2018, providing services such as security audits, security consultants, red teaming, and more.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

SQL INJECTION 101

Millions Of Secrets Exposed Via Web Application Frontend — An Internet-Wide Study — RedHunt Labs

GWT is in Trade Mining & Farm & Pool with BabySwap!

Top 25 RCE Bug Bounty Reports

{UPDATE} Draw Collect Hack Free Resources Generator

How To Protect Your Identity Online

identity theft shadowsafe brisbane

DragonBite Partners with Kylin Network

8 Hours Honeypot: Cowrie and Adbhoney

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
SlowMist

SlowMist

SlowMist is a Blockchain security firm established in 2018, providing services such as security audits, security consultants, red teaming, and more.

More from Medium

Yearn Finance explained: What are Vaults and Strategies?

Post-mortem Analysis of OneRing Incident

It’s 🚀 Launch Time! | Lido on Polygon

8 New Pools are now Live! — Winelisting #2