TL;DR#
On June 18, 2023, Ara was exploited on the BNB chain due to a lack of access control, which resulted in a loss of funds worth approximately $124,915.
Introduction to Ara#
Ara is a content-based protocol with decentralized rewards and distribution.
Vulnerability Assessment#
The root cause of the exploit is price manipulation caused by the lack of access control on one of the contracts, which was abused to swap tokens.
Steps#
Step 1:
We attempt to analyze the attack transactions executed by the exploiter.
Step 2:
The initial attack failed due to gas insufficiency, which was effectively front-run by a bot.
Step 3:
The attack was successful due to a lack of restrictions on the authorized funds; a large number of ARA and USDT were approved for the swap contract without limiting the funds transferred from the caller for any swap related purposes.
Step 4:
The exploiter initially took a flash loan of 1.202 million USDT, and called the vulnerable swap contract to swap 163,497 $ARA tokens for 123,246 USDT.
Step 5:
The borrowed flash loan was used to swap 504,469 $ARA tokens, thereby levitating the price of the $ARA tokens.
Step 6:
The swap contract was called yet again to swap 132,123 USDT for 12,179 $ARA tokens in order to let the approved address take over $ARA tokens at a higher price, and 504,469 of the excess $ARA tokens were finally swapped for 124,916 USDT as profits after repaying the flash loan.
Solution#
Given the nature of this attack, where an exploit was leveraged due to a lack of access control, it emphasizes the need for more robust and comprehensive checks in the protocol. It is essential to enforce strict access control mechanisms on smart contracts to prevent unauthorized actions for critical functions, such as token swaps, and ensure that only authorized entities can execute them. By restricting access to sensitive functionalities, the attack surface for potential exploits can be minimized.
Furthermore, the aftermath of this attack could have been significantly mitigated if the team associated with Ara had taken advantage of the benefits provided by Neptune Mutual's parametric cover policies. Neptune Mutual offers coverage to users who experience financial losses or the loss of digital assets due to smart contract vulnerabilities. By setting up a dedicated cover pool within the Neptune Mutual marketplace, the Ara team could have provided users with an added layer of protection.
Neptune Mutual's parametric cover policies eliminate the need for users to provide extensive evidence of their losses. Payouts can be claimed as soon as an incident is resolved through the platform's incident resolution system. This streamlined process ensures that users can quickly recover their losses without unnecessary delays or complications.
Neptune Mutual's security team conducts thorough evaluations of platforms, including DNS and web-based security, frontend and backend security, and intrusion detection and prevention measures. By engaging with Neptune Mutual, the Ara team could have benefited from expert security assessments, including identifying potential vulnerabilities in their protocol and strengthening their overall security posture.
Reference Source Beosin
