The theft of 160,000 US dollars of assets was an oolong incident? A brief analysis of the Yeld.finance “lightning loan attack” event

The theft of 160,000 US dollars of assets was an oolong incident? A brief analysis of the Yeld.finance “lightning loan attack” event

Loading

The DeFi project Yeld.finance claimed that the DAI pool of the project was subject to a lightning loan attack, but Chengdu Lianan analyzed that the transaction was a fund transfer caused by the Yeld.finance project’s own strategic mechanism and had nothing to do with the lightning loan attack.

Original title: “The theft of $160,000 in assets turned out to be an oolong incident? | Analysis of Yeld.finance “Lightning Loan Attack” Event”
Written by: Chengdu Lian’an

Event overview

On February 27, 2021, Beijing time, [Beosin-Blockchain Security Situational Awareness Platform (Beosin-OSINT)] Public opinion monitored that Yeld.finance, a well-known DeFi project, officially issued a notice stating that the project’s DAI pool suffered lightning Loan attack, the original link is as follows:

https://yeldf.medium.com/the-yeld-dai-earn-vault-has-been-hacked-93f27d475b1b

The Beosin security team immediately intervened in response to the transaction mentioned in the original text

(0x57b378f8d20d3945ab40cd62aa24063f375bcfc5693c2e788dc193ffa1a5cc3a) for analysis. The analysis after the discovery, the transaction is Yeld.finance project’s own policy mechanism resulting from the transfer of funds, regardless of the credit lightning attack. The lightning loan attack means not to bear the pot.

Event analysis**

The theft of 160,000 US dollars of assets turned out to be an oolong incident? | Analysis of Yeld.finance "Lightning Loan Attack"Figure 1 Transaction information

As shown in Figure 1, the transaction is a user named 0xf0f225e0, calling the deposit function of the 0xe780cab7ca8014543f194fc431e6bf7dc5c16762 contract. It was confirmed that the 0xef80cab7 contract is the DAI pool of the project party. This transaction produced a total of 6 token transfers, denoted by T1 to T6. So, these tokens transfer operation what caused it? The following code analysis:

The theft of 160,000 US dollars of assets turned out to be an oolong incident? | Analysis of Yeld.finance "Lightning Loan Attack"Figure 2 Deposit function source code

Obviously, the generation of the 538th line of code resulted in the transfer of the token with serial number T1, which transferred the token (ie DAI) to the yDAI contract. This is an ordinary token transfer, which means that the user deposited 9,377 DAI to the yDAI contract.

The first line of code 541-553, is used to calculate the user contract yDAI DAI deposit should be returned to the user how much yDAI, and coinage in row 554, corresponding to the number of transfer tokens T2, the user indicates to cast the contract yDAI 9,306 yDAI .

Then enter the rebalance function on line 555 to analyze the logic of the function.

The theft of 160,000 US dollars of assets turned out to be an oolong incident? | Analysis of Yeld.finance "Lightning Loan Attack"Figure 3 Source code of rebalance function

The theft of 160,000 US dollars of assets turned out to be an oolong incident? | Analysis of Yeld.finance "Lightning Loan Attack"Figure 4 recommend function

Line 732 of the code will calculate the newProvider, the function will call the recommend function (as shown in Figure 4), the recommend function will call the IEarnAPRWithPool contract to query the four Defi projects DYDX, COMPOUND, AAVE, FULCRUM, the project with the highest annual interest rate (APR) , The query result is shown in Figure 5:

The theft of 160,000 US dollars of assets turned out to be an oolong incident? | Analysis of Yeld.finance "Lightning Loan Attack"Figure 5 recommend query results

The APR of the dYdX pool is the highest, and newProvider is set to the dYdX pool. The current pool AAVE pool, if block 736 into the line, calling the internal function _withdrawAll.

The theft of 160,000 US dollars of assets turned out to be an oolong incident? | Analysis of Yeld.finance "Lightning Loan Attack"Figure 6 _withdrawAll function source code

Line 778 of the code will bring up all the DAIs in the AAVE pool, resulting in the transfer of tokens with serial numbers T3-T5. For the specific code, please refer to AAVE(0xfC1E690f61EFd961294b3e1Ce3313fBD8aa4f85d) contract redeem function related code, which will not be detailed here.

The last is the 741th line of code. The 166,000 DAI proposed in AAVE will be deposited into the dYdX contract, resulting in a token transfer with the serial number T6, that is, 166,000 DAI will be deposited into the dYdX pool.

The whole transaction ended here. It can be seen that the so-called “flash loan attack” was just a “false alarm”. The user simply deposited a sum of DAI, and then just triggered the strategy mechanism of the Yeld.finance project. It is not a so-called “lightning loan attack”, but an “Oolong Incident”.

It is worth noting that dYdX played the role of a “conscientious merchant” in this incident and was not an accomplice in previous lightning loan attacks.

Safety advice

Although this chain of events by the Chengdu Ann (Beosin) analysis of the security team after a judge to be false, but it was still necessary to remind the project side, still need security in their daily work, be alert for attacks and lightning loans Guard against .

Meanwhile, as a commitment to ecological security building block chain of Chengdu chain security (Beosin) This is also suggested that security early warning mechanism and security reinforcement work project parties must not be taken lightly. Seeking to force third-party security company, set up covering the whole life cycle of one-stop security solution for the prudential side.

Source link: mp.weixin.qq.com

Disclaimer: As a blockchain information platform, the articles published on this site only represent the author’s personal views and have nothing to do with ChainNews’ position. The information, opinions, etc. in the article are for reference only, and are not intended as or regarded as actual investment advice.

Let’s block ads! (Why?)