TL;DR#
On November 9, 2022, the TopGear vault of Brahma (brahTOPG) project was attacked, in which the hacker was able to steal 89,343 $USDC.
Introduction to Brahma#
Brahma is a non-custodial protocol that activates and manages liquidity across chains and decentralized applications and enables effective capital utilization in the DeFi ecosystem.
Vulnerability Assessment#
The vulnerability is caused because the Zapper contract rigorously checked for incoming user data, which resulted in an arbitrary external call.
Steps#
Step 1:
The exploit transaction can be seen here.
Step 2:
The attacker first queried the balance of one of the users, and then called the zapIn function of the Zapper contract.
Step 3:
This function will transfer the token supplied by the requiredToken parameter to the contract.
Step 4:
The parameter passed in by the function can be modified externally, allowing the attacker to create a fake token for the requiredToken and then transfer it to Zapper contracts.
Step 5:
A call is made to the internal function zap, which checks whether the balance of the fake token in the contract is greater than or equal to the value supplied in.
Step 6:
The attacker is able to proceed to the next line of code because the balance value was already queried before.
Step 7:
The attacker created this function to transfer frax tokens to the Zapper contract, which will then be deposited into the vault.
Step 8:
The attacker was able to transfer USDC tokens from other authorized users since the contract specified by the swapTarget argument is called externally, and the parameters passsed to the call were also externally constructible.
Step 9:
The attacker repeated these actions three times, ultimately stealing the USDC balance from the accounts of three victims.
Aftermath#
The team is yet to publish a detailed postmortem report to explain the cause and consequences of this incident.
How to Prevent Such an Attack Vector#
This exploit could have been avoided using proper validation techniques to ensure that the any external call to the contracts were restricted.
Our security team at Neptune Mutual can validate your platform for DNS and web-based security, smart contract reviews, as well as frontend and backend security. We can offer you a solution to scan your platform and safeguard your protocol for known and unknown vulnerabilities that have the potential to have catastrophic long-term effects. Contact us on social media if you are serious about security and have the budget, desire, and feeling of responsibility to do so.
Reference Source: SlowMist
