{"id":10271,"date":"2022-11-12T10:20:00","date_gmt":"2022-11-12T10:20:00","guid":{"rendered":"https:\/\/www.trustrecipe.in\/?p=10271"},"modified":"2023-12-01T11:29:07","modified_gmt":"2023-12-01T11:29:07","slug":"dfx-finance-hack-nov-10-2022-detailed-analysis","status":"publish","type":"post","link":"https:\/\/immunebytes.com\/blog\/dfx-finance-hack-nov-10-2022-detailed-analysis\/","title":{"rendered":"DFX Finance Hack\u00e2\u20ac\u201dNov 10, 2022\u00e2\u20ac\u201dDetailed Analysis"},"content":{"rendered":"\n

Overview<\/h3>\n\n\n\n

On the 10th of November, 2022, DFX Finance, operating on an Ethereum-based protocol with the attack manifesting on the Polygon network, fell victim to a security breach involving a flash loan attack<\/a> that exploited missing reentrancy protection. <\/p>\n\n\n\n

The assailant executed a sophisticated scheme, siphoning off assets exceeding $7 million in value. Of this sum, the perpetrator directly appropriated $4.3 million while an opportunistic MEV bot front-ran<\/a> the transaction, intercepting around $3.2 million. <\/p>\n\n\n\n

The exploit underscores a critical vulnerability within the smart contract’s design, emphasizing the necessity for rigorous security measures in decentralized finance protocols.<\/p>\n\n\n\n

About DFX Finance<\/strong><\/h3>\n\n\n\n

DFX Finance is a Decentralized Exchange (DEX) protocol that operates on the Ethereum blockchain, catering specifically to fiat-backed stablecoins and leveraging real-world FX price feeds to optimize trades. <\/p>\n\n\n\n

It utilizes dynamically tuned bonding curves to facilitate trading, ensuring price efficiency for stablecoin transactions. While specific statistics and notable clients were not provided, DFX has established a reputation in the cryptocurrency space for enabling efficient stablecoin trading.<\/p>\n\n\n\n

Root Cause of the Hack<\/h3>\n\n\n\n

The primary reason for the hack was a missing reentrancy guard<\/a> in the flash loan function. Due to this vulnerability, the contract incorrectly recognized the flash loan as repaid when, in fact, the attacker had only redeposited borrowed funds.<\/p>\n\n\n\n

Attack Flow<\/h3>\n\n\n\n

Initiation of the Attack<\/h4>\n\n\n\n

The attack on DFX Finance commenced with the exploiter leveraging the protocol\u00e2\u20ac\u2122s flash loan function. This maneuver involved borrowing USDC and XIDR stablecoins and then re-depositing them into the liquidity pools, thereby manipulating the protocol into falsely acknowledging the loan as repaid.<\/p>\n\n\n\n

Execution of the Flash Loan Exploit<\/h4>\n\n\n\n

Calling the viewDeposit() Function: The attacker began by interacting with the \u00e2\u20ac\u0153usdc-xidr\u00e2\u20ac\u009d pair contract\u00e2\u20ac\u2122s viewDeposit() function, which calculates the required amount of USDC and XIDR tokens and mints corresponding lptokens.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
Borrowing and Redepositing<\/strong><\/h5>\n\n\n\n

Enough USDC and XIDR were borrowed and then redeposited back into the contract. This was facilitated through the deposit() method, which then invoked the ProportionalLiquidity.proportionalDeposit() function, registering the attacker\u00e2\u20ac\u2122s LP token and placing the borrowed funds back into the pool.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
Bypassing Flash Loan Checks<\/h5>\n\n\n\n

The contract was tricked into believing the loan was settled as there was no outstanding amount under the attacker’s address, allowing the bypass of transaction pair checks.<\/p>\n\n\n\n

Withdrawal of Funds<\/h5>\n\n\n\n

The attacker then executed the withdraw() function, destroying the lptoken and seizing the USDC and XIDR tokens.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Re-entrancy and Emergency Withdrawal<\/h3>\n\n\n\n

The withdraw function\u00e2\u20ac\u2122s re-entrancy protection was ineffective since the flash loan appeared complete, yet the attacker\u00e2\u20ac\u2122s lptokens remained in the lending contract.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

This allowed the attacker to repeatedly call the emergencyWithdraw() function, withdrawing all deposited tokens.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

MEV Bot Intervention<\/h3>\n\n\n\n

Front-Running Transaction<\/h4>\n\n\n\n

An MEV bot intervened during the attack, executing a front-running transaction and siphoning approximately $3.2 million from the transaction flow. This unexpected development resulted in the attacker losing a significant portion of the stolen funds.<\/p>\n\n\n\n

In an interesting turn, DFX Finance reached out to the MEV bot owner, requesting the return of the front-run funds.<\/p>\n\n\n\n

Attack Txn: <\/strong>https:\/\/etherscan.io\/tx\/0x390def749b71f516d8bf4329a4cb07bb3568a3627c25e607556621182a17f1f9

Attacker\u00e2\u20ac\u2122s Address:<\/strong> https:\/\/etherscan.io\/address\/0x14c19962e4a899f29b3dd9ff52ebfb5e4cb9a067<\/p>\n\n\n\n

Attacker Contract:<\/strong> https:\/\/etherscan.io\/address\/0x6cfa86a352339e766ff1ca119c8c40824f41f22d#code

MEV Bot Address & transaction<\/strong>:
https:\/\/etherscan.io\/address\/0x6c6b87d44d239b3750bf9badce26a9a0a3d2364e

MEV Bot\u00e2\u20ac\u2122s wallet address:<\/strong> https:\/\/etherscan.io\/address\/0xfde0d1575ed8e06fbf36256bcdfa1f359281455a

Unconventional ordering transaction Block:<\/strong> https:\/\/etherscan.io\/block\/15941904

MEV Bot & wallet transaction address analysis: <\/strong>https:\/\/etherscan.io\/address\/0xfde0d1575ed8e06fbf36256bcdfa1f359281455a<\/p>\n\n\n\n

DFX Finance Code: <\/strong>https:\/\/etherscan.io\/token\/0x888888435fde8e7d4c54cab67f206e4199454c60#code<\/p>\n\n\n\n

Stolen Fund Details<\/h3>\n\n\n\n

The attacker could only transfer $4.3 million worth of assets into their wallet. The remaining portion\u00e2\u20ac\u201cabout $3.2 million\u00e2\u20ac\u201c was extracted by an MEV bot in a front-running transaction, also called a sandwich attack<\/a>.<\/p>\n\n\n\n

Hack Aftermath<\/h3>\n\n\n\n

DFX Finance had confirmed the breach, noting that they were alerted to unusual activities within 20\u00e2\u20ac\u201c30 minutes after the initial transaction. In response, they swiftly suspended all DFX contracts minutes after validating the attack.<\/p>\n\n\n\n

Furthermore, the DFX team has acknowledged the involvement of an MEV bot in the incident. This bot managed to divert a substantial amount of funds from the hacker. The team is currently seeking communication with the bot’s owner.<\/p>\n\n\n\n

In addition to these developments, the team had raised concerns about the vulnerability of Polygon contracts<\/a> to similar exploits. Consequently, they are proceeding with an urgent shutdown of these pools and plan to publish a detailed analysis of the attack in an upcoming postmortem report.<\/p>\n\n\n\n

Mitigation Steps to Avoid Such Hacks<\/h3>\n\n\n\n

To avoid such re-entrancy attacks, the following measures could have been implemented:<\/p>\n\n\n\n