Rho Markets Incident

On July 19th, Rho Markets — a Compound V2 fork on Scroll — was involved in an incident that led to the creation of $7.5mil in bad debt. The root cause of the vulnerability was the misconfiguration of the oracle for ETH, i.e., setting the address to a wrong price feed, at initialization time, and not a bug in the code. The price mis-alignment was quickly exploited by an MEV bot that observed the opportunity.

Fortunately, lost funds were returned due to the quick and coordinated efforts between the protocol team and SEAL 911 (of which we are also part). That being said, the willingness of the MEV Bot operator behind the incident to co-operate with the protocol and return the funds significantly sped up the recovery.

One may also read Rho Markets’ official statement [tweet | blog] on the incident, which does a great job of explaining the circumstances that led to the loss of funds.

Technical Details

The misconfiguration

Quoting Rho Markets’ incident report:

This issue occurred due to the erroneous configuration of the ETH oracle price feed to the BTC price feed. Normally, such settings are validated before any changes are implemented. However, due to a human error in overseeing the deployment process, this validation check was missed in the case of the oracle price.

The on-chain misconfiguration of the PriceOracleV2 contract occurred in this transaction: https://scrollscan.com/tx/0x9d2388a0c449c6265b968d86f0f54e75a5b82e2b04176e35eefdff5f135547ec#eventlog

Rho Markets Incident

As can be seen from the emitted event, the transaction has the effect of erroneously setting the oracle for the underlying asset at address(0) to be the WBTC/USD oracle.

Rho Markets Incident

At the time of the transaction, the configuration for the rWBTC token ( 0x1d7.. ) had not been set inside the oracle contract:

Rho Markets Incident

This is also evident by the fact that no calls to the PirceOracleV2‘s setRTokenConfig function had been performed, prior to the oracle update on block 7580111 and after rWBTC ’s deployment on block 7579842

Rho Markets Incident

The problem with setting the oracle for the asset at address(0) is that, as stated before, this address represents the underlying token of rETH (ETH) [ configuration of rETH ]

Rho Markets Incident

Which is a notion inherited from Compound’s semantics:

Rho Markets Incident

Screenshot depicting the configuration of ETH in Compound’s UniswapAnchoredView contract — the second address in the tuple is the underlying address

The consequences of the misconfiguration

At this point we can note that no contract code was vulnerable or broken, since the setter of the price oracle functioned as intended.

However, this misconfiguration alone was enough to enable the arbitrage opportunity that an MEV bot exploited. Since all ETH collateral would be priced at the value of WBTC —a 20X increase in the actual value of ETH— this allowed the bot to borrow more funds than one should normally get when using ETH as collateral (which lead to the creation of bad debt).

The MEV bot performed multiple transaction like this one: https://scrollscan.com/tx/0x0a7b4c6542eb8f37de788c8848324c0ae002919148a4426903b0fb4149f88f05

Rho Markets Incident

As one may see, the bot mints ~84 rETH

Rho Markets Incident

But it successfully manages to borrow ~942 wstETH which is then swapped into ETH

The total amount of bad debt that was created by this method ended up being ~7.5 million.

Return of funds

The war room set up with the protocol team and SEAL 911 was quick in gathering information on the attack and the operator of the MEV bot. However, the bot operator acted in good will and contacted the protocol team for the return of funds:

https://etherscan.io/tx/0xab7bc87fca7df222000b870fbe55750c33b3ea0461a8ba8a8ddbe530a1934248

https://scrollscan.com/tx/0xd9c2e4f0364b13ada759f2dd56b65f5025e70cce4373e7c57ac31bf5226023e0

Hello RHO team, our MEV bot have profited from your price oracle misconfiguration. We understand that the funds belong to users and are willing to fully return. But first we would like you to admit that it was not an exploit or a hack, but a misconfiguration on your end. Also, please provide what are you going to do to prevent it from happening again.

Funds were successfully returned at: https://scrollscan.com/tx/0x15da6af0207d82d27ca20a542dae1b81580ca1cbfee7028c312229968e356446

Takeaways

The incident highlights the importance of rigorously reviewing deployment procedures. Even when there are no smart contract vulnerabilities, protocols must ensure that updates do not break any invariants posed by the protocol’s complex modules.

We’d like to thank Rho Markets for their quick action and transparency on the issue, as well as all the members of SEAL 911 who also participated in the war room with us.

SEAL 911: A Few Lessons from the Frontlines 

SEAL 911

Today, I’d like to share my personal experience as a member of SEAL 911, the emergency hotline that assists Web3 projects in protecting their assets in case of hacks or malicious attacks.

I’ve been part of SEAL 911 since October 2023 and I witnessed:

  • Numerous vulnerability disclosures.
  • War rooms were set up to prevent the exploitation of live vulnerabilities or help protocols that were actively being exploited.
  • Many cases where individuals’ funds were stolen either because of investment scams, phishing attacks, or even drainer malware.

I had the opportunity to see many of the industry’s top security experts in action and gain useful insights. 

Aside from addressing code vulnerabilities, SEAL 911 can also provide significant assistance in the area of on-chain forensics. Although this requires considerable time and effort, members of SEAL have been able to track the movement of stolen funds and provide victims with helpful information to report to law enforcement authorities. By effectively coordinating with authorities, the victim can often freeze stolen funds and even identify the perpetrators of the malicious activities.

With the increase in cryptocurrency capitalization, bad actors will continue attempting to steal funds from users by exploiting code vulnerabilities, stealing users’ wallet information, or even tricking users into sending the funds themselves.  This poses a threat to the security of De.FI. As we have seen repeatedly, the most vulnerable group is non-tech-savvy regular users, so it is important to spread good operational security (op-sec) practices and fundamental cryptocurrency knowledge to the public. 

What is Security Alliance (SEAL)

Security Alliance (SEAL), established with the support of blockchain innovators, has rapidly become a key asset of Web3 security. Before its public debut on February 14, 2024, SEAL connected users, developers, and experts to offer free Web3 simulation exercises.

Seal’s goal is to improve the security of the blockchain and cryptocurrency system by supporting security researchers and removing barriers that could prevent them from taking immediate action to safeguard protocols. The initial members include security teams at Paradigm, a16z crypto, and Dedaub, who have played a key role in significant recovery efforts. Seal’s programs include rapid response, legal assistance, and developer security training.

The Security Alliance (SEAL) offers several initiatives to enhance security. These include SEAL 911, a 24/7 emergency response hotline, and SEAL Wargames team exercises designed to identify and address vulnerabilities. Additionally, the Whitehat Safe Harbor Agreement provides legal protection for white-hat hackers participating in fund rescues, and the Legal Defense Fund supports researchers dealing with legal challenges. SEAL operates as a US 501(c)(3) nonprofit organization with the mission to protect the decentralized internet. For more information, please visit the Security Alliance.

What is SEAL 911?

SEAL 911 is a 24/7 emergency hotline for incident response, vulnerability disclosures, and other security issues in blockchain and crypto. It provides immediate assistance to address security threats quickly, ensuring expert help is available to mitigate risks and prevent damage.  

  • Collaborative Defense: Working quickly with platform teams to temporarily pause contracts that have been hacked, when applicable.
  • Evolving Threats: Growing sophistication in cyberattacks requiring advanced strategies.
  • Rapid Response: Speed and coordination prevent losses and restore confidence.

What Are the SEAL Wargames?

SEAL conducts SEAL Wargames and red team exercises to help developers prepare for security incidents. These simulated attacks help identify weaknesses and improve defense strategies. Many developers have never experienced the high-intensity environment of a security incident before. It can be challenging to stay focused and productive when every second could potentially mean millions of additional dollars lost to attackers. The SEAL Chaos Team provides projects with the resources and training to respond to the worst-case scenarios.

Each wargame consists of two phases:

1. A tabletop exercise in which the Chaos Team presents hypothetical attack scenarios to project developers and notes potential weaknesses.

2. A simulated attack in which the Chaos Team exploits a vulnerability on a test network and challenges the project developers to set up an incident war room, triage the exploit, and remediate the situation.

Yannis Smaragdakis and I from the Dedaub Security search team are currently active members of SEAL 911.

Conclusion

As a member of SEAL 911, I have seen firsthand how critical our role is in securing the Web3 ecosystem. The collaborative efforts and rapid response capabilities we’ve developed are essential in combating the evolving threats in the crypto space. Working with some of the brightest minds in the field has been invaluable, and I’m proud to contribute to a safer, more resilient blockchain community.

Thestandard.io Exploit | A Thorough Analysis by Dedaub

Hello everyone, this is Yannis Bollanos, Security Researcher at Dedaub. A few days ago, we published a tweet about the thestandard.io exploit that took place on November 6th, 2023, which you can find here: https://twitter.com/dedaub/status/1734598398055981471.

The positive response from the X audience indicates a strong interest in the topic. As a result, I have decided to expand it into a blog post that can be used as a reference in the future.

Thestandard.io exploit occurred on November 6th, 2023, and according to Crypto.news, approximately 280K EUROs were at risk. Fortunately, most of the funds have been recovered, so this is a hack story with a happy ending.

After the excitement and tension of the moment subside, it is important to reflect on what happened and how we can prevent similar attacks in the future. It’s a great opportunity to re-emphasize that protocols should use defensive checks/assertions at every point their code interacts with a decentralized exchange (DEX).

The @thestandard.io protocol issues coins to users who open over-collateralized positions, helping the protocol’s assets maintain a stable value by adjusting liquidity provision by actual market rates.

In the @thestandard.io attack scenario, a SmartVault contract oversees the management of each user’s position, taking responsibility for adequately verifying the position’s liquidity. Users can issue coins by calling `mint`:

Thestandard_io Exploit | A Thorough Analysis by Dedaub

The SmartVault allows the exchanging of deposited collateral tokens through Uniswap’s V3 router (0xe592427a0aece92de3edee1f18e0157c05861564 on Arbitrum). Here is where things get interesting:

SmartVaultV2 – Arbitrum – Source code (0x2E9f9Cc46679DBb5D94a1397Bd922cA5F6dA99Cd) a smart contract deployed on Arbitrum.

One may inspect the source code in the (Dedaub) Contract Library for SmartVaultV2 – 0x2E9f9Cc46679DBb5D94a1397Bd922cA5F6dA99Cd. Below is the screenshot.

Thestandard_io Exploit | A Thorough Analysis by Dedaub

The things to note are:

  • With amountOutMinimum set to 0, the swap operation would succeed no matter the extent of the slippage incurred.
  • There were no other safeguards in place to ensure a fair exchange for the value provided in the contract.

This enabled the owner of the vault contract to initiate a swap on a pool that might have been maliciously ’tilted,’ allowing for an exchange at an arbitrarily different price from the market price.

There are two ways to profit from this:

  • (1) Utilize a flash loan and purposely sandwich the swap operation between a tilting and an un-tiling swap on the pool. This is a fairly typical attack pattern commonly used in exploits.

OR

  • (2) Have the swap operation occur on a pool, the liquidity of which (as well as the execution price) is entirely controlled by the attacker. This can be done only on freshly created pools or in pools with near-0 liquidity.

The attacker chose option (2) since a Uniswap V3 pool for PAXG-WBTC didn’t exist then. Here’s how everything is put together to form the attack:

Attack Transaction:

  1. The attacker creates the Uniswap v3 PAXG-WBTC pool
  2. The attacker flash borrows 10 WBTC ( and a tiny extra amount to provide as initial liquidity)
  3. The attacker provides 10 WBTC as collateral and mints as many EUROs as possible

One may inspect the relevant transaction in the (Dedaub) Contract Library for 0x51293c1155a1d33d8fc9389721362044c3a67e0ac732b3a6ec7661d47b03df9f – Arbitrum. Below is the screenshot.

Thestandard_io Exploit | A Thorough Analysis by Dedaub

The attacker provides liquidity to the PAXG/WBTC pool. WBTC and PAXG are at a 1:1 ratio within the tick range in which liquidity is minted. This is over-valuing PAXG by a lot.

The attacker swaps the deposited WBTC for PAXG, and the swap operation goes through the attacker-controlled pool. The vault is now under-collateralized, in terms of real value: the PAXG it obtained has much less value than the EUROs issued.

The attacker then burns all of his liquidity on Uniswap, and he notably receives ~9.9 WBTC. At this point, the attacker still holds the originally minted EUROs.

The attacker swaps 10k of his EUROs for USDCs. Some USDCs are then employed to obtain the few remaining WBTCs needed to repay the flash loan.

In the end, the attacker walks away with 280k EUROs and ~8.5k USDC.

Fortunately, the attacker has returned ~240k EUROs back to the protocol:

One may inspect the relevant transaction in the (Dedaub) Contract Library for 0xb08633c44d5f7c6fc10ad5685642c54e97900165bd1d64a1d003c99d1eec9a4b – Arbitrum. Below is the screenshot.

Thestandard_io Exploit | A Thorough Analysis by Dedaub

Thestandard.io Exploit | Key Learning

Smart Contract developers should not solely rely on assumptions about on-chain liquidity/asset prices. The code should consistently enforce these assumptions (within a reasonable deviation).