Overview
On June 10, 2023, the Atlantis Loans platform fell victim to a smart contract hack, exploiting a governance vulnerability. The hack resulted in a substantial financial loss of approximately $1M USD.
Hack Details:
Attacker address:
https://bscscan.com/address/0xEADe071FF23bceF312deC938eCE29f7da62CF45b
Attack Transaction:
https://bscscan.com/tx/0x3b0df86f548946d9dda9fb4177ae27bf33f06315c73ea50945ab9e53a041d7e1
Malicious contract:
https://bscscan.com/address/0x613cc544053812ab026d60361212cdb67b46f42f
Chronological Events and Mechanism of the Attack
Status Before June 7
Atlantis Loans was abandoned by its developers in early April. This absence resulted in a lowered guard against potential threats.
The platform’s UI was paid up for two years, and only governance mechanisms could implement changes.
An attack attempted on April 12 failed due to insufficient votes.
The attacker published and then voted through proposal 52, targeting the GovernorBravo contract. This proposal was designed to give them administrative control over the token’s proxy contract.
GovernorBravo, by design, only verified the eta parameter (unlock time) during the proposal queue, a flaw that was exploited.
June 10 (Main Attack Launched)
Hack Txn: https://bscscan.com/tx/0x3b0df86f548946d9dda9fb4177ae27bf33f06315c73ea50945ab9e53a041d7e1
Post 172,800 seconds (2 days) of lockup:
- The attacker successfully navigated the waiting period.
- They subsequently altered the existing contract logic, embedding a backdoor within their malicious contract:
0x613cc544053812ab026d60361212cdb67b46f42f.
Funds Stolen
Using the backdoor, the attacker siphoned tokens from addresses with active smart contract approvals tied to Atlantis contracts, directing these to their own wallet. This was enabled largely by the “approvals” users had granted.
Vulnerabilities and Root Cause Analysis
- Governance Oversight:
A primary flaw lies in Atlantis Loans’ governance structure. Exploiting theGovernorBravocontract, which only focused on theetaparameter was pivotal. - Smart Contract Approvals:
By granting permissions, users inadvertently jeopardized their own assets. Such approvals meant tokens could be accessed and redirected in an unauthorized manner. - Abandoned Project Oversight:
The lack of active oversight and monitoring due to the project’s abandonment provided an opportunity for the attacker. The passage of proposal 52 without contention is reflective of this void. - Historical Precedents:
Platforms like Beanstalk and Swerve had faced similar threats. These incidents should’ve served as a cautionary tale about vulnerabilities inherent in smart contract governance, especially with decreased monitoring.
Contracts at Risk
Following is the list of contracts that were potential targets in this hack, and users were advised to revoke permissions for these contracts:
| 0x7c0697155617b7a797cb7517d483dbbdb17089cf = ALT | 0x24ce0e8a115b850dd9f8f28125534f102059a307 = ZIL |
| 0x4e9bF21Ce718Dde4be2E0F5b167181b8AdAd12F6 = ETH | 0xd47084cc0e974e5b88958fca5fafb7f7726c4058 = VAI |
| 0x1e3C741e1d94b88871dCE2A9b55CC2b2b10AD04f = MDX | 0x24ce0E8a115b850DD9f8f28125534f102059A307 = aZIL |
| 0x350bD6EFE303F5D6E10bD9e9d6347bc4a3E708c0 = GMT | 0xd47084cC0e974e5B88958FCA5FaFB7f7726C4058 = aVAI |
| 0x2C5056167cb2797a7D82996800F896D4F0684343 = DOT | 0x7c0697155617b7A797CB7517d483DbBdB17089CF = aATL |
| 0x5c81c0f55A15Dbc97749A83c843044702768A2A2 = XVS | 0x6A3EbE48a297a61048ddbeB0eF62da4E35eF11f2 = C98 |
| 0x2F4ba3A96B9B5b660C78310FddE4987c09a2eEba = WOO | 0x8DF3719eB4C9F17ecF30bA298CC2Da7c88162894 = TRX |
| 0x14f235Bb338804D194679BEF1eD7F619F4fE684F = ATOM | 0x20c7E6eb3FaB3990A0DB8b2EEd57FF7d799603f9 = AVAX |
| 0x02A7dE4598DA1F18CB6AB85D342b4688FEC66E6B = AXS | 0x96FfC0C6e91FD65460Bd1dd180500fA5bDa11940 = XTZ |
| 0xC182Ea25C72cE276F80748497775499059F6c74e = XRP | 0x26458660BC2f9112e43De7f0DAE003298c6a6DC4 = SOL |
| 0xd7C38eb724a4610A9fB78F3f9F6C400577e30AC2 = CAKE | 0x558B96Ee93Ea9C7ec9839BEAfab641d75F94E9a3 = USDC |
| 0x219db7E6F8A609645E8559F8553A48C6e6b17f57 = ADA | 0xfEAd9619e88464e5aD1Ea9Df458dcc147F03ea0C = USDT |
| 0xCc7Fc8666F6e62cB44aa781de841eE6Be3BbE54c = LINK | 0x788A791FF9641A5e1fF3596487b120c348bE1Db3 = DAI |
| 0x59123a930E52b52EdB27F91135253331F36cd87c = BTC | 0x0503FEaa5854E55E5607e40371e2a1b0d1B9df7F = BUSD |
| 0xe7e304f136c054ee71199efa6e26e8b0dae242f3 = ALT |
Historical Context
- Beanstalk suffered a flash loan-enabled governance attack in the previous year, leading to a loss of $181M.
- Swerve, a Curve-clone, faced an unsuccessful attack via governance in March. This attack would have transferred $1.3M from a liquidity pool had it succeeded.
Mitigation and Best Practices
- Access Control: Be vigilant when assigning administrative privileges within contracts. Implement robust access control mechanisms.
- Multi-signature Schemes: These require multiple entities to approve significant actions, reducing the potential for a single point of compromise.
- Regular Audits: Ensure smart contracts are frequently audited by professionals to check for logical vulnerabilities.
- Revoke Old Approvals: Users should be proactive in revoking permissions to old or unused contracts to prevent unauthorized access.
- Monitoring Governance: Even if projects are discontinued, governance processes should be monitored to prevent malicious activities.
Conclusion
The Atlantis Loans hack sheds light on the intricate vulnerabilities present within smart contracts, especially those associated with governance.
While the technology behind smart contracts offers a plethora of benefits, it is paramount to continually evaluate, update, and monitor these contracts to ensure the security of users and the platform.