TL;DR#
On January 22, 2024, Concentric Finance was exploited on the Arbitrum chain, which resulted in a loss of 715.7 ETH, worth approximately $1.72 million.
Introduction to Concentric#
Concentric is a liquidity aggregator that sources liquidity from multiple DEXs and optimizes the LP position to maximize yield.
Vulnerability Assessment#
The root cause of the exploit is the compromise of the deployer wallet through a targeted social engineering attack.
Steps#
Step 1:
We attempt to analyze one of the attack transactions executed by the exploiter.
Step 2:
The attacker was able to compromise the deployer key and then upgrade the contract to drain funds from both the vault and the users who approved the token for the contract.
The protocol leveraged upgradable contracts, meaning a compromised admin or the deployer would allow an attacker to upgrade the vaults, mint new tokens, or perform any other core unintended functionalities.
Step 3:
Specifically, the attacker updated the implementation contract of the CONE-1 proxy contract from the original ConeCamelotVault contract to the attacker-controlled contract and then added the admin of adminMint as the address they likely controlled.
function adminMint(uint256 amount) public {
require(msg.sender == 0x105f52fcC329cEF4CBe25BC946f8a3738414E4A1, "Not admin");
_burn(0x60D84044e916ac1A22981dA23058591193de3AFc, amount);
_mint(msg.sender, amount);
}
Step 4:
Thus, using this adminMint function, the attacker burns LP tokens from the LPStaking contract and then mints them for themselves. The attacker repeatedly called adminMint and the burn operations in order to drain funds from the contracts.
Step 5:
Likewise, there's also an approval bug in one of the affected contracts, in which users who had approved to spend their tokens saw their assets being drained from the contract.
function withdrawFromAdmin(address token, address from) public {
require(msg.sender == 0xc62A25462A61f02EBAB35Cd39C5E9651426e760b, "Not admin");
uint256 balance = IERC20(token).balanceOf(from);
uint256 approval = IERC20(token).allowance(from, address(this));
IERC20(token).safeTransferFrom(from, msg.sender, approval >= balance ? balance : approval);
}
Step 6:
The stolen funds held at this address were later disbursed to different EOAs.
0x17865c33e40814d691663bC292b2F77000f94c34: $270,918
0x1F14E38666cDd8e8975f9acC09e24E9a28fbC42d: $702,095
0xFD681A9aA555391Ef772C53144db8404AEC76030: $701,959
0x5c0E945Fc1c83D8d10E9c6366E2cBC5241532AEc: $153,021
Aftermath#
The team acknowledged the occurrence of the incident and stated that they are reviewing a security incident on their protocol. This security breach was the result of a targeted social engineering attack on one of their team members holding the deployer wallet. This incident led to unauthorized access and subsequent exploitation of their protocol. A later post-mortem report by the team stated that they currently have 8 ETH, along with some USDC left in the CONE-USDC LP; therefore, the protocol will be entirely halted till a foreseeable future.
Solution#
To effectively address and mitigate the risks highlighted by the Concentric Finance exploit, a comprehensive and multifaceted approach is essential. Firstly, users who have granted token approvals to the affected contracts should promptly revoke these approvals. Additionally, the suspension of operations by the Concentric team serves as a stark reminder of the importance of due diligence and vigilance in DeFi interactions. This includes thorough research into a project's team, security audits, and contract functionality.
The protection of upgradeable contracts is of paramount importance. One key measure is the implementation of a multi-signature wallet for administrative control of these contracts, reducing the risk of a single point of failure. Complementing this, a time lock for contract upgrades allows for community scrutiny and validation of changes prior to activation. Regular security audits, particularly surrounding upgrades, and continuous monitoring for unusual activities are critical for early exploit detection. Additionally, transparent and decentralized governance in contract upgrades, involving community participation in decision-making, enhances the overall security framework.
Central to strengthening security is a complete overhaul of the private key management system. Adopting a multi-signature wallet system is a strategic move, necessitating multiple confirmations for transactions and thus significantly lowering the risk of unauthorized access. Alongside this, transitioning from storing private keys in a single, online environment to incorporating hardware security modules (HSMs) offers a more secure storage solution, greatly reducing the risk of key compromises.
Enhancing this security architecture further is the implementation of a robust cold storage solution. Keeping private keys entirely offline through cold storage markedly reduces their exposure to online attacks. The combination of cold storage with a multi-signature system creates a dual layer of defense. These measures are not only crucial for the secure storage and management of assets but also play an integral role in re-establishing and sustaining user trust in the platform's security protocols.
A notable aspect of the exploit was also the human element, particularly vulnerability to phishing and social engineering attacks. Addressing this calls for a comprehensive employee training program centered on security awareness.
Even with robust security measures in place, the possibility of vulnerabilities being exploited cannot be entirely eliminated. This is where Neptune Mutual plays a critical role. By establishing a dedicated cover pool with Neptune Mutual, the negative impacts of incidents like the Concentric Finance exploit can be substantially alleviated. Neptune Mutual specializes in providing coverage against losses due to smart contract vulnerabilities, offering parametric policies tailored to address these specific risks. We usually exclude coverage for exploits due to private key compromises, but we are open to making exceptions in certain cases.
The collaboration with Neptune Mutual simplifies the process for users by obviating the need for detailed proof of loss submissions. Once an incident is confirmed and resolved through our thorough incident resolution framework, our focus swiftly turns to providing prompt compensation and financial support to those affected. This approach ensures timely assistance to users impacted by such breaches.
Our marketplace operates across several key blockchain networks, including Ethereum, Arbitrum, and the BNB chain. This broad reach allows us to serve a wide variety of DeFi users, offering them protection against potential vulnerabilities.
Reference Source CertiK
