1 Introduction
On March 31, 2022, Beijing time, Zhichuangyu Blockchain Security Lab detected that the lending platform Ola_finance was attacked by a reentrancy attack. Hackers stole 216964.18 USDC, 507216.68 BUSD, 200000.00 fUSD, 55045 WETH, 2625 WBTC and 1240,000.00 FUSE , about $4.67 million.
2. Analysis
One of the attack incidents is shown in the figure below. The problem of this attack incident is the incompatibility between Ola.finance and ERC677 tokens. The built-in callback functions of these tokens are used by attackers to carry out re-entry attacks to exhaust the loan pool.
All attack events are as follows:
20 WBTC + 100 WETH stolen: https://explorer.fuse.io/tx/0xe800f55fe6c81baba1151245ebc43692735d4019107f1f96eeb9f05648c79938/token-transfers
100 WETH stolen: https://explorer.fuse.io/tx/0xb8ef2744647027047e383b6cdd660a950b4f6c6bbbc96378ef1e359b4369ffc1/token-transfers
100 WETH stolen: https://explorer.fuse.io/tx/0xff4fa726d0967bda03124fb71d58f0aa32d8132029804cdcf0c517761f4acd74/token-transfers
100 WETH stolen: https://explorer.fuse.io/tx/0xf06a9b830dc2577e62016df45ee6f824d9112d32d3f66f4e1e31639d15a3812d/token-transfers
100 WETH stolen: https://explorer.fuse.io/tx/0xb535823c71bf753e6468e40ce009f00ab473e716900417719377a0c50892816f/token-transfers
52.094 WETH stolen: https://explorer.fuse.io/tx/0xf1ac951de9eda1be73fd99adf9cca902b0ff28515ec3061b487e52cf352f5b6a/token-transfers
6.246 WBTC stolen: https://explorer.fuse.io/tx/0x719ec16e785463adf78e8ebf32286f837f7546e4301d9bce620da08af435bb3a/token-transfers
216964.176 USDC stolen: https://explorer.fuse.io/tx/0x0df8dce11993a2efff59a416aa967b64b9ebe0ab66f996cfdb41a463b952dd86/token-transfers
507216.676 BUSD stolen: https://explorer.fuse.io/tx/0x1b3e06b6b310886dfd90a5df8ddbaf515750eda7126cf5f69874e92761b1dc90/token-transfers
200000 fUSD stolen (collateral stolen after borrowing): https://explorer.fuse.io/tx/0x17883e8a1bcfc85b80f00f8faa730f2da17b1d9fe48c1922c05e51a1a9e01a2c/token-transfers
1240000 FUSE stolen (collateral stolen after borrowing): https://explorer.fuse.io/tx/0x8223170a722eba6d4583845f377ba5f353e8e589d0d16b6a4fb0a2feaad94a8c/internal-transactions
2.1 Basic information
Attack contract: Contract1: 0x632942c9BeF1a1127353E1b99e817651e2390CFF Contract2: 0x9E5b7da68e2aE8aB1835428E6E0c83a7153f6112
Attacker address: 0x371D7C9e4464576D45f11b27Cf88578983D63d75
Attack tx: 0x1b3e06b6b310886dfd90a5df8ddbaf515750eda7126cf5f69874e92761b1dc90
Vulnerable contract: 0x139Eb08579eec664d461f0B754c1F8B569044611
2.2 Process
The attacker's attack process is as follows:
1. The attacker transfers 550.446 WETH from the attack contract 0x6392 to another attack contract 0x9E5b.
-
The attacker deposits 550.446 WETH to the cETH contract 0x139Eb08579eec664d461f0B754c1F8B569044611 and obtains minted 27284.948 oWETH.
-
With 27284.948 oWETH, the attacker can lend 507216.676 BUSD from the cBUSD contract 0xBaAFD1F5e3846C67465FCbb536a52D5d8f484Abc.
4. The attacker calls the callback function during the transfer of BUSD to the attack contract 0x9E5b, transfers 27284.948 oWETH to the attack contract 0x6329, and transfers 507216.676 BUSD to the attack contract 0x6329 after borrowing.
5. Attack contract 0x6329 and redeem 27284.948 oWETH to get 550.446 WETH.
2.3 Details
The main problem of this attack occurred in the third and fourth steps of the above process.
Since the transferAndCall function exists in the ERC677 token, external calls can be made (for details, please refer to https://explorer.fuse.io/address/0x5De15b5543c178C111915d6B8ae929Af01a8cC58/contracts).
During the transfer of BUSD from oBUSD to the attack contract 0x9E5b, call a callback function in the attack contract 0x9E5b to transfer oWETH from the attack contract 0x9E5b to the attack contract 0x6329 (at this time, the loan balance of the attack contract 0x9E5b has not been updated), borrow After the BUSD is withdrawn, it is also transferred to the attack contract 0x6329.
Through the code, we can see that although the borrowInternal function of the Erc20Delegator contract has the restriction of preventing the re-entry decorator nonReentrant, this decorator can only prevent external calls from re-entrant attacking its own contract, and cannot prevent external calls from re-entering other contracts.
Finally, since the attack contract 0x6329 did not borrow, it can redeem oWETH for WETH. The attackers ended up with WETH that was used as collateral to borrow BUSD tokens and their borrowed BUSD tokens.
2.4 Subsequent processing
Ola.finance officially issued a statement saying:
We will publish a detailed report on all tokens listed on all lending networks confirming that this attack cannot be replicated on other lending networks. To this end, we will investigate the "transfer" logic of each token to ensure that no questionable token standards are being used. Additionally, each lending network creator will be provided with the ability to quickly pause token minting and lending on their lending network. Later on, we will release a patch that will allow Compound forks to safely list ERC677/ERC777 compliant tokens. Until then, borrowing from the lending network on Fuse will be temporarily disabled; users who borrow assets will not accrue interest and are encouraged not to repay their loans at this time (as they are less likely to withdraw collateral). Once this patch is thoroughly tested and reviewed, full lending functionality on Voltage will resume. In the next few days, we will publish a formal compensation plan detailing the distribution of funds to affected users. This will be accompanied by more articles outlining the "next steps" we will take in more depth. We thank our partners for supporting the analysis of this attack and helping us quickly resolve the issue.
3. Summary
Ola.finance is rewritten based on the Compound contract, and the incompatibility between the Compound contract and ERC677/ERC777 tokens makes the built-in callback functions of these tokens used by attackers to re-enter to exhaust the loan pool.