Decoding Elastic Swap’s $850K Exploit | QuillAudits

Summary:

On the 12th of December, 2022, Elastic Swap was exploited both on the Avalanche and Ethereum Chain. A total of $854K was stolen by hackers from both Chains. The attack was caused by a difference in the calculation of add and delete liquidity, which resulted in a price manipulation attack.

Introduction to Elastic Swap:

ElasticSwap is an all-new AMM focused on elastic supply tokens. An elastic supply (or rebase) token works in a way that the circulating supply expands or contracts due to changes in token price. ElasticSwap adapts to the elastic supply changes without the need for someone to call a function on the pool itself after a change (rebase) happens.

Check out the official docs for more information.

Vulnerability Analysis & Impact:

Avalanche Chain Details:

Attacker’s Address 1: 0x3bdf01ed32f07e8e843163b5d478d4502f5743cd
Attacker’s Address 2: 0x25fDe76A52D01c83E31d2d3D5e1d2011ff103c56
Attacker’s Address 3: 0xdd8429b85a92b35712659bd945462a41bfd60cbd
Attacker’s Contract: 0xa2741Ab491026AF1FEDf76bEb0F74376d8FdD67F

AVA Exploit txn: 0x782b2410fcc9449ead554a81f78184b6f9cca89f07ea346bc50cf11887cd9b18
TICvUSDC.e Contract: 0x4ae1da57f2d6b2e9a23d07e264aa2b3bbcaed19a

Ethereum Chain Details:

AMPLvUSDC Contract: 0xa0c5aa50ce3cc69b1c478d8235597bc0c51dfdab
MEV Owner address: 0xBeAdeDBABED6A353c9cAa4894Aa7E5F883e32967
MEV BOT Contract: 0xE911519dc7f35996C6ad5C8A53e82B101af790d6

Original Attack Txn: 0xc2d86035f20389088b4277de6f13ca3f8bb819381b95e58359a22d0ad6f5cbda
MEV front-run txn: 0xb36486f032a450782d5d2fac118ea90a6d3b08cac3409d949c59b43bcd6dbb8f

The Attack

The root cause is due to the misapplication of two accounting systems. For addLiquidity function, the contract uses a constant K value algorithm for internal accounting. See here.

But for removeLiquidity, it uses token-balance-based accounting in which the balance of two tokens (baseToken and quoteToken) in the current pool is used to calculate the amount. See here.

Attack Steps:

  1. The attacker begins by adding liquidity to the TIC-USDC pool.

2. He then deposits $USDC.e directly into the TIC-USDC pool.

3. The attacker then removed the liquidity, causing the contract’s internal USDC reserve to become unbalanced.

4. Finally, when the pool became unbalanced, the attacker swapped USDC for TIC tokens and made a profit out of it.

Exploit in Ethereum:

The attacker attempted the same thing on Ethereum Chain for the AMPLvUSDC pool, but the MEV bot front-runned him. The MEV bot gained around 445 ETH from the transaction. See here.

After the Exploit :

ElasticSwap announced about exploit on Twitter. ElasicSwap acknowledged the attack and advised users to remove liquidity from the protocol.

Status of the fund:

AVA Chain:

The hack gained the attacker around 22,454 AVAX. He moved the funds across a few wallets and now has 22,453 AVAX in the address labeled as ElasticSwap Exploiter 3 (0xdd8429b85a92b35712659bd945462a41bfd60cbd)

ETH Chain:

The MEV Bot Owner profited approximately 445 ETH, of which he returned 400.5 ETH to the protocol and kept the remaining as a bounty. See here.

Further Reference:

https://twitter.com/ElasticSwap/status/1602582495819694081

Similar projects secured by QuillAudits:

  1. Oboswap
  2. ArtSwap

Web3 security- Need of the hour

Why QuillAudits For Web3 Security?
QuillAudits is well-equipped with tools and expertise to provide cybersecurity solutions saving the loss of millions in funds.

Want more Such Security Blogs & Reports?

Connect with QuillAudits on :
Linkedin | Twitter | Website | Newsletter | Discord | Telegram

Partner with QuillAudits :

--

--