TL;DR#
On February 27, 2023, an attacker exploited Dungeon Swap and Launch Zone protocols to steal funds worth $ 728,000, and $ 700,000 respectively. The exploiter further attacked the $HAI protocol, causing a loss of approximately $18,940.
Introduction to Dungeon Swap#
Dungeon Swap is a global DEX that enables anyone to set up and manage their own liquidity pool fund.
Launch Zone is a BNB chain-based decentralized finance protocol.
Vulnerability Assessment#
The root cause of the exploit was excessive user permission, which led to the price manipulation of $DND tokens.
Steps#
Step 1:
We attempted to analyze the attack transaction executed by the exploiter.
Step 2:
The implementation contract included a function with insufficient access control, which allowed tokens approved for this contract to be abused.
Step 3:
As a result, an attacker was able to exploit users who had previously approved this implementation contract for token swaps.
The hacker purchased tokens, and then looped through each user addresses who had approved the contract that the hacker used, forcing trades on their behalf.
Step 4:
These forced trades drove the prive of $DND tokens, which were then sold for profits
Step 5:
The attacker first purchased 1 million $DND tokens by paying approximately 0.06 $BNB. Then they repeatedly invoked a call to that function in order to manipulate the price of the $DND token by enforcing a swap using $BUSD, $WBNB, and $DND tokens.
Step 6:
The attacker then made approximately 740 $WBNB in profit by repeatedly swapping the previously obtained 1 million $DND tokens.
Step 7:
The exploit was repeated several times, resulting in a profit of over 2400 $BNB, or roughly $728,000, before transferring the the stolen funds to Fixed Float and Tornado Cash.
Step 8:
The DND exploiter also targeted the LaunchZone ($LZ) protocol, draining nearly 80% of their liquidity pool. The stolen funds totaled $700,000.
Step 9:
The hacker also exploited the $HFI project, causing a loss of approximately $18,940.
Aftermath#
The Dungeon Swap is a long-standing contract. The team behind it announced in September 2020 that they would cease all farming operations while continuing to work on developing new products, expanding external community partner resources, and so on. Their website, at the time of this writing, has been inaccessible.
Following the attack, the price of $LZ tokens dropped by more than 80% compared to their prior trading price.
The team stated that they will be transferring $LZ liquidity to Arbitrum and initiating refunds to investors who purchased $LZ tokens after the attack event but did not sell them.
Biswap announced that the $LZ token will be delisted as a result of the hack. The Launch Zone team further mentioned that they have decided to halt trading of the $LZ token until the issues are resolved.
Solution#
It is critical to understand that no security measure is perfect, but implementing a few strategies can greatly reduce the risk of all such attacks on DeFi protocols.
Independent third-party auditors should conduct regular smart contract audits to identify vulnerabilities and recommend mitigation strategies. This can aid in identifying and addressing potential attack vectors before they are exploited by attackers.
A protocol should also restrict the permissions granted to users to only those required to use the protocol. Users, in particular, should not be given the ability to change critical protocol functionalities.
We may not have prevented the occurrence of this hack, however the impact or aftermath of this attack could have been significantly reduced if the team associated with Dungeon Swap and Launch Zone had set up a dedicated cover pool in the Neptune Mutual marketplace. We offer coverage to users who have suffered a loss of funds or digital assets occurring as a result of smart contract vulnerabilities owing to our parametric policies.
Users who purchase the available parametric cover policies do not need to provide loss evidence in order to receive payouts. Payouts can be claimed as soon as an incident is resolved through the incident resolution system. At the moment, our marketplace is available on two popular blockchain networks, Ethereum, and Arbitrum.
Neptune Mutual's security team would also have evaluated the platform for DNS and web-based security, frontend and backend security, intrusion detection and prevention, and other security considerations.
Reference Sources BlockSec, CertiK
