TL;DR#
On April 28, 2023, the 0vix Protocol on the Polygon chain was exploited, resulting in a loss of approximately $2 million.
Introduction to 0vix Protocol#
0VIX is a DeFi liquidity market protocol, built on Polygon, that enables users to lend, borrow and earn interest with their digital assets.
Vulnerability Assessment#
The root cause of the vulnerability is due to the flawed price calculation of GHST token.
Steps#
Step 1:
The debt value `ovGHST` in the contract is calculated based on the balance of the GHST token in the contract vGHST. The exploiter was able to manipulate the conversion ratio of the `vGHST` by transferring large amounts of $GHST tokens directly to the `vGHST` contract.
Step 2:
We attempted to analyze the attack transaction executed by the exploiter.
Step 3:
The attacker took a large amount of flash loan using GHST tokens, and used them to mint $vGHST tokens.
Step 4:
The exploiter took another flash loan of approximately 24.5 million $USDC, and used roughly 6.15 million USDT as collateral for deposit to borrow $vGHST assets from 0VIX pools, and repeated the process to create a debt position.
Step 5:
They then self liquidated their vGHST debt to get back their collateral of USD while also keeping the USD they borrowed safe, hence leaving the account with bad USD debt.
Step 6:
In the end, the attacker took their the collateral and redeem vGHST tokens to $GHST, while all the borrowed assets during the flash loan are paid back keeping the remaining assets as profits.
Step 7:
The stolen funds include 1.453 million $USDC, 584,444 $USDT, and 9565 $GHST, totaling approximately $2.048 million. Funds worth approximately 760 ETH were transferred to Tornado Cash, whilst the remaining stolen assets are held at this address.
Aftermath#
The team acknowledged the occurrence of the incident via this tweet. They stated that the POS and zkEVM markets have been paused, which includes pausing oToken transfers, minting, and liquidations; however, only the POS markets were affected due to the exploit.
The team has been in touch with Chainalysis and PeckShield to investigate the exploit. They have also sent an on-chain message to the attacker, offering them 10% bounty rewards for returning the rest of the stolen funds.
A later tweet mentioned that the law enforcement process has begun due to the absence of funds being returned.
Solution#
The attack succeeded because the attacker was able to manipulate the price of the token by exploiting a donation-debt position. This exploit could have been prevented to a greater extent if the token price didn't rely on the current token balance.
We may not have prevented the occurrence of this hack, however the impact or aftermath of this attack could have been significantly reduced if the team associated with 0vix Protocol had set up a dedicated cover pool in the Neptune Mutual marketplace. We offer coverage to users who have suffered a loss of funds or digital assets occurring as a result of smart contract vulnerabilities owing to our parametric policies.
Users who purchase the available parametric cover policies do not need to provide loss evidence in order to receive payouts. Payouts can be claimed as soon as an incident is resolved through the incident resolution system. At the moment, our marketplace is available on two popular blockchain networks, Ethereum, and Arbitrum.
Neptune Mutual's security team would also have evaluated the platform for DNS and web-based security, frontend and backend security, intrusion detection and prevention, and other security considerations.
Reference Source PeckShield
