Decoding $220K Read-only Reentrancy Exploit | QuillAudits

Summary:

On the 24th of October 2022, Market.xyz (the lending market on QuickSwap DEX) was exploited. An exploiter took a flash loan and manipulated the spot price of the asset to borrow funds, ultimately making off with 138 ETH and 700 MATIC tokens. The attack was possible due to the use of a Curve LP oracle, which contained a vulnerability that allowed manipulating prices during the removal of liquidity.

Protocols Involved:

In this attack, multiple protocols and projects were linked. Let us understand it first.

1. QuickSwap: QuickSwap is a permissionless decentralized exchange (DEX) based on Ethereum, powered by Matic Network’s Layer 2 scalability infrastructure, where multiple borrowing and lending parties come to lend and borrow.
2. Market.xyz: Market Protocol allows users to earn yield by supplying their cryptocurrencies as collateral to an isolated lending market or pool. Market.xyz was one of the Lending markets in QuickSwap. Market xyz was using Vulnerable Curve Oracle to monitor the lending/borrowing markets.
3. QiDAO: QiDao is a stablecoin protocol utilizing collateralized debt positions allowing users to mint the stablecoin MAI pegged to the U.S. Dollar. The amount lost in the attack was seeded(funded) by QiDAO to market xyz and no user funds were lost.

Vulnerability Analysis & Impact:

So here is the story: Market.xyz was using Curve LP Oracle for lending and borrowing markets. But there was a price manipulation vulnerability due to Read-Only Reentrancy present in the Curve LP Oracle.

Read-Only Reentrancy:
The read-only reentrancy is a reentrancy scenario where a view the function is reentered, which in most cases is unguarded as it does not modify the contract’s state. However, if the state is inconsistent, wrong values could be reported. Check out this blog to learn more about this.

The total fund lost in this attack was $220K MAI(stable coins pegged to USD), which was seeded by QiDAO. Both QiDAO’s and QuickSwap’s contracts were not affected during this attack, and no user’s funds were compromised. The exploit took place on the MXZ lending market, which was the only platform compromised.

The Attack:

There were 2 attacks made in total.

Attack1:
Amount Stolen: 138 $ETH
Attacker’s Address: 0x4206d62305d2815494dcdb759c4e32fca1d181a0
Attacker’s Contract Addr. : 0xeb4c67e5be040068fa477a539341d6aef081e4eb
Txn Hash: 0xb8efe839da0c89daa763f39f30577dc21937ae351c6f99336a0017e63d387558

Attack2:
Amount Stolen: 700 $Matic
Attacker address: 0xe3671a41c44f50048e60939df3d26704c9652d9d
Attacker’s Contract Address: 0xC6CD77fcf37ffcd97B3429F0284ecfF50616EA74
Txn Hash: 0x303c770b81d8866693aa341774eaa2cd5dc3a5f1d2ad855b9d6f0c10b5c36d5d

Attack Flow:

Let's look at this txn and analyze the attack:

1. First, the attacker first took a flash loan to deposit a large amount of liquidity.

2. Next, he added liquidity with the flash loan amount by calling the add_liquidity function.

3. Then the attackers removed the liquidity from the pool by calling the remove_liquidity function. When the remove_liquidity function was called, it triggered the fallback function of the attacker’s malicious contract.

4. When the remove_liquidity function is called, d_balance is subtracted in the function, then the fallback is executed in a loop. The raw_call is used to execute the transfer. Here the D variable (lines 1034–1035) is not updated after the attack, but the number of tokens has changed with the same price used as before.

During the execution of the fallback, balances were not fully updated while the total supply of the LP token had already decreased. Finally, the attack was achieved by compromising Curve Oracle’s price feed and then borrowing funds based on the new inflated price.

Check out this blog for more details on Curve’s LP Price feed manipulation attack.

After the Exploit :

QuickSwap announced that they would be closing QuickSwap Lend. They further added that only market xyz was compromised and their contracts were unaffected. Furthermore, QiDao announced that they are completely unrelated to QiDao smart contracts.

Market.xyz also made the following announcement about the attack:

Status of Funds:

The attacker bridged 138 ETH to Ethereum and then sent all of them into tornado cash.

Reference:

https://twitter.com/QuickswapDEX/status/1584524584984145922
https://twitter.com/market_xyz/status/1585317167335370752

Web3 security- Need of the hour

Why QuillAudits for Web3 Security?
QuillAudits is well-equipped with tools and expertise to provide cybersecurity solutions, saving the loss of millions in funds.

Want more Such Security Blogs & Reports?

Connect with QuillAudits on :
Linkedin | Twitter | Website | Newsletter | Discord | Telegram

Partner with QuillAudits :

- Affiliate program ( Refer and secure web3 )

- QuillAudits Partnership Programme ( Venture funds, launchpads, development companies, marketing firms, web2 cybersecurity firms, web3 products )

- Join Ambassdor program