3 min read

Analysing Elastic Swap Hack

On December 13, 2022, Elastic Swap was exploited due to price manipulation. Total loss: $854,000.

Analysing Elastic Swap Hack

TL;DR#

On December 13, 2022, Elastic Swap was exploited due to price manipulation causing a total loss of approximately $854,000.

Introduction to Elastic Swap#

Elastic Swap operates on the Avalanche C-Chain platform, and is an automated market maker focused on elastic supply tokens like $AMPL.

Vulnerability Assessment#

The root cause of the vulnerability is due to the usage of two different accounting system which led to inconsistent calculation for adding and removing liquidity in contracts.

Steps#

Step 1:

We tried to analyse the attack transaction carried out by the exploiter.

Step 2:

The exchange contract used a constant K value algorithm to add liquidity; however, to remove liquidity, it calculates the tokens to return using the token-balance in the current pool and reduces the internal accounting reserves.

Elastic Swap Smart Contract

Elastic Swap Smart Contract Screenshot, Courtesy of Etherscan.

Step 3:

Due to such design, the attacker first added liquidity, before transferring some $USDC.e directly to TIC-USDC pool.

Step 4:

The amount of $USDC.e to be transferred to the attacker is multiplied by the number of LP tokens, then the attacker removed this liquidity to make a profit.

Step 5:

This attacker made a profit of approximately 22,454 $AVAX worth $290,328, and subsequently transferred them to another address.

Elastic Swap Hacker Transfers on Snowtrace

Elastic Swap Hacker Transaction Screenshot. Courtesy of Snowtrace.

Step 6:

The AMPL-USDC pool of ElasticSwap on Ethereum was also compromised using the same method.

Step 7:

The attack was front run by a MEV bot, and the attack transaction carried out by the exploiter can be viewed here.

Step 8:

The attacker made a profit of roughly 445 $ETH worth around $564,000, which remains in the attacker's account.

Aftermath#

The team published a Tweet stating that they have been compromised, and have asked users to remove their liquidity.

The attack also caused the project's TIC token to drop by more than 77% of its value, and was found to be trading at $1.05 at the time of this writing.

Solution#

It is crucial to carefully consider potential attack vectors, and ensure that a smart contract is secure before deploying it. This can include conducting a through audit of the smart contracts, or reviewing them for potential vulnerabilities by running stringent tests in a simulated environment.

The impact of this attack could have been significantly reduced if Elastic Swap had a dedicated cover pool in the Neptune Mutual marketplace. We have standard terms and conditions in place to provide coverage to various types of DeFi attacks, including the smart contract vulnerabilities, but we are also open to make exceptions in some cases.

Users who purchase our parametric cover policies do not need to provide loss evidence in order to receive payouts. Payouts can be claimed as soon as an incident like this is resolved through our governance system.

Additionally, auditing the smart contracts for vulnerabilities is insufficient due to the existence of varying attack vectors. Neptune Mutual's security team can also assess your preferred protocol for DNS and web-based security, smart contract evaluations, and frontend and backend security.

Reference Source

BlockSec, PeckShield

By