SlowMist: Detailed Analysis of Opyn Contract Being Hacked (Released in 2020)
On August 5, 2020, the Opyn contract was hacked. After receiving the intelligence, the SlowMist security team conducted a comprehensive analysis of the attack.
Attack Details
Check out one of the attack transactions:
https://etherscan.io/tx/0xa858463f30a08c6f3410ed456e59277fbe62ff14225754d2bb0b4f6a75fdc8ad
Looking at the inline transaction shows that the attacker only used 272ETH to end up with 467ETH.
Use the OKO contract browser to analyze the specific attack details:
https://oko.palkeo.com/0xa858463f30a08c6f3410ed456e59277fbe62ff14225754d2bb0b4f6a75fdc8ad/
The key point is the exercise function of the oToken contract. From the figure above, we can see that the USDC is sent to the attacker contract by calling transfer twice in the exercise function. Next, we will cut into the exercise function for specific analysis:
It can be seen that the exercise function allows multiple vaultsToExerciseFrom to be passed in, and then the _exercise function is called through a for loop to process each vaultsToExerciseFrom. Now we cut into the _exercise function for specific analysis:
1. In line 6 of the code, it first checks whether it is within the insurance period, which is naturally affirmative
2. In the 11th line of the code, check whether vaultToExerciseFrom has created a vault. Note that this is only to check whether a vault has been created.
3. Check the incoming oTokensToExercise value in lines 14, 16, and 21 of the code. In the OKO browser above, we can see that the attacker passed in 0x1443fd000, which obviously can pass the inspection
4. Next, calculate the amount of ETH that needs to be consumed on line 28 of the code
5. Calculate the quantity and handling fee to be paid in lines 35 and 41 of the code
6. Next, judge whether the underlying is an ETH address in the 59th line of the code, and the underlying is assigned a value in the 31st line of the above code. Since isETH is true, it will enter the if logic instead of the else logic. In the if Both amtUnderlyingToPay and msg.value in the logic are user-controllable
7. Then burn oTokensToExercise, and call the transferCollateral function to transfer USDC to the caller of the exercise function
The key points above are step 2 and step 6, so we only need to ensure that the vaultToExerciseFrom passed in has created a vault, and make amtUnderlyingToPay equal to msg.value, and these related parameters are all under our control, so the attack idea become apparent.
Idea verification
Let’s verify that this works as we thought through the attacker’s actions:
1. First of all, it is certain within the insurance period
2. The vaultToExerciseFrom passed in by the attacker are:
0xe7870231992ab4b1a01814fa0a599115fe94203f
0x076c95c6cd2eb823acc6347fdf5b3dd9b83511e4
Verified that both addresses created the vault.
3. The attacker calls exercise to pass in oTokensToExercise as 0x1443fd000 (5440000000), msg.value as 272ETH, and vaultsToExerciseFrom as the above two addresses.
4. At this time, since the oToken created by the attacker before is 0xa21fe800 (2720000000), and the vault.oTokensIssued is 2720000000 less than 5440000000, so the else logic in the exercise function will be executed. At this time, oTokensToExercise is 0xa21fe800 (2720000000 ), then the first Line 60 msg.value == amtUnderlyingToPay is definitely true.
5. Since vaultsToExerciseFrom passes in two addresses, the for loop will execute the _exercise function twice, so the transfer will transfer USDC to the attacker contract twice.
Complete Attack Process
1. The attacker uses the contract to first call the createERC20CollateralOption function of the Opyn contract to create an oToken.
2. The attack contract calls the exercise function and passes in the address of the created vault.
3. Call the _exercise function twice through the for loop logic in the exercise function.
4. The exercise function calls the transferCollateral function to transfer USDC to the function caller (because the for loop calls the _exercise function twice, the transferCollateral function will also be executed twice).
5. The attack contract calls the removeUnderlying function to transfer the previously passed ETH out.
6. In the end, the attacker got back the previously invested ETH and additional USDC.
Attack contract address
0xe7870231992Ab4b1A01814FA0A599115FE94203f
Opyn contract address
0x951D51bAeFb72319d9FBE941E1615938d89ABfe2
Attack transaction (Part 1)
0xa858463f30a08c6f3410ed456e59277fbe62ff14225754d2bb0b4f6a75fdc8ad
Suggestions
This attack mainly exploits the flaw in the _exercise function to check whether vaultToExerciseFrom creates a vault. This check does not verify whether the vaultToExerciseFrom is the caller himself, but simply checks whether the vault has been created, so that the attacker can pass in the address of the created vault arbitrarily to pass the check.
1. When dealing with user-controllable parameters, authority judgment should be made, and vaultToExerciseFrom must be restricted to the caller himself.
2. The project party can add the contract suspension function and upgradeable model at the initial stage of the project or before completing multiple rigorous security audits, so as to avoid the inability to effectively guarantee the safety of the remaining funds in the event of a black swan event.
About SlowMist
SlowMist is a blockchain security firm established in January 2018. The firm was started by a team with over ten years of network security experience to become a global force. Our goal is to make the blockchain ecosystem as secure as possible for everyone. We are now a renowned international blockchain security firm that has worked on various well-known projects such as Huobi, OKX, Binance, imToken, Crypto.com, Amber Group, Klaytn, EOS, 1inch, PancakeSwap, TUSD, Alpaca Finance, MultiChain, O3Swap, etc.
Website:
https://www.slowmist.com
Twitter:
https://twitter.com/SlowMist_Team
Github:
https://github.com/slowmist/
