When we analyzed the Compound code at the beginning of the year , we found two loopholes that may affect its financial security.
On March 15, 2022, Hundred Finance was attacked, and the hackers made a profit of 2363 ETH, with a total value of more than 40 million renminbi.
The code for the Hundred Finance project comes from Compound.
Today, let’s briefly analyze the loopholes of Compound and why decentralized lending projects cannot copy the Compound model without thinking.
Vulnerability one
The main reason for this vulnerability is that the algorithm of the net value of the fund pool adopted by Compound can be attacked. The attacker can maliciously transfer a certain amount of funds when the share of the fund pool is small, causing the net value to reach a maximum value, so that the later deposit For funds, shares = funds/shares, and the result after divisibility is 0, which means that users do not get shares when they deposit funds! The attacker can then withdraw the shares, stealing the user's funds.
The conditions for exploiting this vulnerability are relatively strict. Basically, it is possible to attack only when the fund pool is created. Plugging is very simple.
Compound, said that they already knew about this vulnerability, and said that this vulnerability is difficult to exploit and can be circumvented through operational means. Thinking about it is indeed the case, although this vulnerability may be exploited, it is difficult to be exploited.
Vulnerability two
This vulnerability is familiar, the basic logic is callback and reentrancy, but the vulnerability is indeed more serious than the first one, and it is also easier to be exploited. As long as there is a token with a hook, it can be attacked!
Compound's reply is still, they have discovered this vulnerability!
Vulnerability finally exploited
So the hacking incident in March 2022 occurred, and the exploited vulnerability was the same as the second idea above. In fact, the hacker can be more ruthless, calling exitMarket() to exit the loan market at the same time when attacking, so that when the attacker redeems or borrows, the arrears will be completely ignored!
In fact, to plug this loophole, you only need to change the order of the two lines of code .
scallop reminder
As a company that has studied the development of blockchain technology for many years, Scallop Technology reminds many companies and entrepreneurs that they must treat their projects and codes rigorously .
The code is someone else's, but after copying it, the loopholes need to be borne by yourself, because if something goes wrong, neither Compound nor the audit company is obliged to take responsibility for you.
When doing projects and doing big things, you must not neglect the places where you need to grasp the details! If you have any questions, please feel free to contact us.