TL;DR#
On February 27, 2023, an attacker exploited Dungeon Swap and Launch Zone protocols to steal funds worth $ 728,000, and $ 700,000 respectively. The exploiter further attacked the $HFI protocol, causing a loss of approximately $18,940.
Introduction to Dungeon Swap#
Dungeon Swap is a global DEX that enables anyone to set up and manage their own liquidity pool fund.
Launch Zone is a BNB chain-based decentralized finance protocol.
Vulnerability Assessment#
The root cause of the exploit was excessive user permission, which led to the price manipulation of $DND tokens.
Steps#
Step 1:
We attempted to analyze the attack transaction executed by the exploiter.
Step 2:
The implementation contract included a function with insufficient access control, which allowed tokens approved for this contract to be abused.
Step 3:
As a result, an attacker was able to exploit users who had previously approved this implementation contract for token swaps.
The hacker purchased tokens, and then looped through each user addresses who had approved the contract that the hacker used, forcing trades on their behalf.
Step 4:
These forced trades drove the prive of $DND tokens, which were then sold for profits
Step 5:
The attacker first purchased 1 million $DND tokens by paying approximately 0.06 $BNB. Then they repeatedly invoked a call to that function in order to manipulate the price of the $DND token by enforcing a swap using $BUSD, $WBNB, and $DND tokens.
Step 6:
The attacker then made approximately 740 $WBNB in profit by repeatedly swapping the previously obtained 1 million $DND tokens.
Step 7:
The exploit was repeated several times, resulting in a profit of over 2400 $BNB, or roughly $728,000, before transferring the the stolen funds to Fixed Float and Tornado Cash.
Step 8:
The DND exploiter also targeted the LaunchZone ($LZ) protocol, draining nearly 80% of their liquidity pool. The stolen funds totaled $700,000.
Step 9:
The hacker also exploited the $HFI project, causing a loss of approximately $18,940.
Aftermath#
The Dungeon Swap is a long-standing contract. The team behind it announced in September 2020 that they would cease all farming operations while continuing to work on developing new products, expanding external community partner resources, and so on. Their website, at the time of this writing, has been inaccessible.
Following the attack, the price of $LZ tokens dropped by more than 80% compared to their prior trading price.
The team stated that they will be transferring $LZ liquidity to Arbitrum and initiating refunds to investors who purchased $LZ tokens after the attack event but did not sell them.
Biswap announced that the $LZ token will be delisted as a result of the hack. The Launch Zone team further mentioned that they have decided to halt trading of the $LZ token until the issues are resolved.
Solution#
In the ever-evolving domain of decentralized finance, the exploits witnessed by Dungeon Swap, Launch Zone, and the HFI protocol once again underline the imperative need for robust, well-defined security paradigms. While the digitized promise of DeFi is grand, so are its vulnerabilities. A crucial flaw such as excessive user permissions can pave the way for far-reaching consequences, as observed with the price manipulation of the DND tokens.
Neptune Mutual has always held the stance that the DeFi space, with its myriad of offerings and operations, requires a multi-layered security approach. Technical precautions such as regular smart contract audits by independent third-party auditors are non-negotiable. They serve as the primary checkpoint to identify vulnerabilities and potential attack vectors. In the case of Dungeon Swap and Launch Zone, excessive user permissions flagged a significant red zone. Protocols should be designed with the principle of minimal privilege, restricting user permissions only to what is essential for protocol interaction. Granting users the capacity to influence core protocol functionalities can open Pandora's box.
While the establishment of a concrete technical defense is paramount, the unpredictable realm of DeFi demands a backup—a safety net to mitigate the financial repercussions when unforeseen vulnerabilities do manage to surface. This is where Neptune Mutual's significance is profoundly underscored. Had Dungeon Swap and Launch Zone integrated our provisions by establishing a dedicated cover pool, the financial aftermath of the hack might have been considerably less devastating for their user base.
Our parametric cover policies stand out due to their user-centric design. In the aftermath of such an exploit, users insured under Neptune Mutual can claim their covered amounts without getting ensnared in the procedural quagmire of producing loss evidence. The recovery process is streamlined and expedited, offering immediate relief when it's needed the most. Given that we operate on both Ethereum and Arbitrum networks, our solutions are tailored to cater to a broad spectrum of DeFi protocols.
Beyond financial cushioning, Neptune Mutual's security arsenal encompasses comprehensive technical evaluations, ranging from web-based security checks to intrusion detection mechanisms and both front-end and back-end assessments. In instances like the one suffered by Dungeon Swap, where their website became inaccessible post-hack, our DNS and web-based security review could have offered insights into potential weaknesses or vulnerabilities.
Reference Sources BlockSec, CertiK
