38 total views
The key to this attack is the combination of the re-entry problem caused by calling an external contract and Vault’s rebase mechanism. The attacker can get a huge profit distribution out of thin air through re-entry.
Original title: “Technical Analysis of Lightning Loan + Re-entry Attack, OUSD Loss 7 Million Dollars”
Written by: [email protected] 慢雾安全队
According to SlowMist Zone intelligence, on November 17, 2020, the Ethereum DeFi project OUSD suffered a lightning loan attack. The SlowMist safety team followed up and conducted relevant analysis as soon as possible. The following is a brief analysis of the attack by the SlowMist security team. A detailed analysis of the attack process will be released later. If you are interested, keep paying attention.
Origin Dollar (OUSD) was created by Origin Protocol (OUSD) and is a new type of ERC-20 stablecoin. When it is still in the wallet, it will automatically obtain competitive income from the DeFi protocol. OUSD is supported by the 1:1 ratio of other stable currencies such as USDT, USDC and DAI.
A brief analysis of the attack process
1. The attacker used dydx lightning loan to lend 70,000 ETH, and then exchanged it for USDT and DAI through Uniswap.
2. The attacker calls the mint function of the OUSD Vault. The Vault will first perform a rebase to distribute the accumulated rewards, and then transfer 7.5 million USDT from the attacker’s contract to the OUSD Vault. At this time, the OUSD contract will cast an equal amount of 7.5 million OUSD tokens to the attack contract, and finally settle the current income through allocate.
3. Before the attacker transferred 7.5 million, the value of Vault was approximately US$7018138. After the attacker transfers 7.5 million USDT, it will account for more than half of the total value of the Vault.
4. The attack contract then uses the mintMultiple function to pass in the DAI contract address and the address of the attack contract. It also performs a rebase first, distributes the previously accumulated income (including the 7.5 million USDT portion previously transferred), and then transfers it through transferFrom. The 20.5 million DAI of the attacked contract was transferred to the Vault. Then the transferFrom function of the attacking contract will be called, and the attacker will construct the logic of calling the mint function of the Vault contract again in the transferFrom function of the attacking contract to realize the reentry attack.
5. After transferring 20.5 million DAI in the previous step, call the mint function of Vault again through the transferFrom function of the attack contract. Since 2000 USDT passed in during reentry meets the conditions for judging whether to call rebase, a rebase will be performed at this time, and because rebase requires a difference between the total value of assets in the Vault and the total number of coins in OUSD to trigger. According to the original business scenario, the total value of the assets in the Vault is changed after the allocation is made to settle the income and then distributed through rebase. However, due to reentry , the minting operation was not performed through oUSD.mint first, and the attacker had transferred 20.5 million DAI into the Vault first, so the total value of assets in the Vault still increased, resulting in the total value of assets in the contract being greater than The total coinage of OUSD. Therefore, Vault will use the increased 20.5 million DAI as part of the revenue for rebase distribution. In step 3, since the attacker’s assets have accounted for more than half of the total value of the Vault, the attacker will get a profit distribution worth more than 10.25 million out of thin air.
6. Then, 2000 OUSD will be cast through oUSD.mint , and the income of 2000 USDT at the time of reentry will be settled through allocate (from the previous step, it can be seen that the 2000 USDT passed in by the attack contract is only to satisfy the condition of calling rebase and trigger the income distribution That’s it). After the re-entry, the 20.5 million DAI equivalent of OUSD tokens previously transferred will be minted through oUSD.mint.
7. In the end, the total value of the Vault is about 35.01 million U.S. dollars, but the value of the attacker’s possession is more than 38.25 million U.S. dollars. Therefore, the attacker uses most of the OUSD to go to the Vault for redemption operations, basically emptying the Vault, and the rest of the OUSD It is through the OUSD-USDT pool of Uniswap and Sushiswap that OUSD is exchanged for USDT to increase revenue.
to sum up
The key to this attack is the combination of the re-entry problem caused by calling external contracts and Vault’s rebase income distribution mechanism, which allows the attacker to obtain huge income distribution out of thin air through re-entry. In response to such situations, the SlowMist security team recommends that after checking the incoming assets, directly roll back the assets that are not in the whitelist, and use anti-reentry locks to avoid reentry attacks.
Reference attack transaction: