SlowMist believes that the core of this attack is to use the flaws in the Cream lending pool to obtain the price of collateral, maliciously raising the price of collateral, so that the attacker can borrow more tokens from the Cream lending pool.
Written by: Kong@ 慢雾安全队
According to news from the SlowMist Zone, on October 27, 2021, Cream Finance was attacked again, with a loss of approximately US$130 million. The SlowMist security team immediately intervened in the analysis and shared a brief analysis as follows.
Attack the core
The core of this attack is to use the flaws in the Cream loan pool to obtain the price of collateral, and malicious manipulation increases the price of its collateral, allowing the attacker to borrow more tokens from the Cream loan pool.
Attack details
First, the attacker borrowed 500 million DAI from DssFlash in a flash loan, and then mortgaged the 500 million DAI lent to the yearn yDAI pool to obtain approximately 450 million yDAI vouchers.
The attacker then adds the obtained yDAI tokens to the yDAI/yUSDC/yUSDT/yTUSD pool of Curve to add liquidity of a single currency to obtain the corresponding liquidity certificate. Then the attacker mortgaged the obtained vouchers to the yvWBTC pool to obtain yUSD vouchers in preparation for subsequent mortgages in the Cream crYUSD lending pool.
After that, the attacker began to pledge its yUSD voucher to Cream’s crYUSD loan pool. In order to expand its mortgage scale, the attacker loaned approximately 524,000 WETH from AAVE Flash Loan and mortgaged it to Cream’s crETH pool.
The attacker mortgaged a large amount of ETH in the crETH pool to make it have enough borrowing capacity to lend out all the yUSD in the crYUSD pool and re-pledged it to the crYUSD pool, and then expand in the form of leverage by revolving loans in the crYUSD pool The yUSD collateralized scale in the crYUSD pool is used to prepare for subsequent price manipulation and profitability.
Subsequently, in order to obtain yDAI/yUSDC/yUSDT/yTUSD 4Pool vouchers to manipulate the price, the attacker used about 1,873 ETH to exchange about 7.45 million USDC from Uniswap V3, and converted it into about 3.38 million DUSD tokens through Curve 3Pool .
Next, the attacker uses the obtained DUSD tokens to redeem the yDAI/yUSDC/yUSDT/yTUSD 4Pool voucher from YVaultPeak, and uses this voucher to retrieve yDAI/yUSDC/yUSDT/yTUSD tokens from the yUSD(yvWBTC) pool.
Then the attacker began to carry out the key operations of the attack. It transferred about 8.43 million yDAI/yUSDC/yUSDT/yTUSD tokens directly back to the yUSD pool. Since they were not mortgaged through normal mortgage operations, these 8.43 million The yDAI/yUSDC/yUSDT/yTUSD tokens are not separately accounted for, but are directly distributed to the holders of the yDAI/yUSDC/yUSDT/yTUSD voucher, which is equivalent to directly raising the price of their shares.
In crToken, because the price of its collateral was maliciously increased, the attacker’s mortgage of a large amount of yUSD could make it lend more funds, and finally the attacker lent all the other 15 pools of Cream. Next, we follow up the specific borrowing logic in Cream’s crToken lending pool.
From the cToken contract, we can see that the main loan check is in the borrowAllowed function:
We follow up the borrowAllowed function, and we can see that in line 427, it will check the sum of the asset value of all cTokens and the sum of the borrowed asset value corresponding to the account in the real-time state according to the getHypotheticalAccountLiquidityInternal function, and compare the asset value and borrowing of the cToken The sum of the Token value to determine whether the user can continue to borrow.
We follow up the getHypotheticalAccountLiquidityInternal function, we can find that the value of the collateral is obtained from line 886 oracle.getUnderlyingPrice.
We follow up the getUnderlyingPrice function of the oracle, and we can easily find that it will get the price through the getYvTokenPrice function of 150 lines of the token.
Continue to follow up with the getYvTokenPrice function. Since yvTokenInfo.version is V2, the price will be obtained through the pricePerShare function of yVault.
Following up on pricePerShare, we can find that it directly returns _shareValue as the price, and _shareValue calculates the price of a single share by dividing _totalAssets by the total number of shares in the contract (self.totalSupply). Therefore, the attacker only needs to manipulate _totalAssets to raise it to increase the price of a single share, thereby increasing the value of the attacker’s collateral to lend more other tokens.
We can check how _totalAssets is obtained. From line 772, we can clearly see that _totalAssets is the number of yDAI/yUSDC/yUSDT/yTUSD tokens directly taken from the current contract, and the amount of assets pledged in the strategy pool Added together. Therefore, by directly transferring yDAI/yUSDC/yUSDT/yTUSD tokens to the yUSD contract, the attacker can raise the share price and complete profit.
You can clearly see the changes before and after pricePerShare through Ethtx.info:
In the end, the attacker returned the flash loan and left the market after borrowing other pools.
Summarize
This attack is a typical use of lightning loans for price manipulation. Because Cream’s lending pool directly uses its pricePerShare interface when obtaining the share price of the yUSD pool, and this interface is to add the balance of the contract’s collateral to the amount of collateralized assets in the strategy pool. Divide the total number of shares to calculate the price of a single share. Therefore, the user can easily increase the price of a single share by directly transferring the collateral to yUSD, and finally allows the collateral in the Cream loan pool to lend more funds.
Attachment: Review of the previous two hacked Cream Finance analysis
Slow fog: A brief analysis of Cream Finance being hacked
The king ran into a pig teammate at the start-a brief analysis of Alpha Finance & Cream being hacked
Source link: mp.weixin.qq.com
Disclaimer: As a blockchain information platform, the articles published on this site only represent the author’s personal views, and have nothing to do with the position of ChainNews. The information, opinions, etc. in the article are for reference only, and are not intended as or regarded as actual investment advice.