TL;DR#
On February 22, 2023, Dynamic Finance was exploited due to insufficient reentrancy protection, in which the protocol lost 73 BNB, worth approximately $22,400.
Introduction to Dynamic#
Dynamic is a smart money market aggregator built on multiple blockchain networks that helps to enhance the DeFi lending experience with automation, one-click borrowing, and seamless bank connectivity.
Vulnerability Assessment#
The root cause of the attack is a reentrancy bug that tricked the deposit tracking system of the StakingDYNA contract.
Steps#
Step 1:
We attempted to analyze the attack transaction executed by the exploiter.
Step 2:
In the StakingDYNA contract, it is observed that users could deposit $DYNA and claim rewards. The interest is calculated with the following operations:
duration = now - lastProcessAt
interest = k * (stakeAmount * duration)
Step 3:
The deposit function provides the lastProcessAt value. However, this value is only recorded for the first deposit/stake due to the logic of the code.
Step 4:
At timeframe A, the attacker opened a new vault and deposited a small amount of $DYNA. At some point in timeframe B, they took out a fairly large flash loan to borrow $DYNA and deposited it before redeeming the deposit, earning rewards, and paying back the flash loan.
The profit from this transaction was, k * (borrowAmount * (B - A))
Step 5:
The attacker then withdrew the rewards and capital using the redeem function.
Step 6:
After withdrawing funds from one address, the funds were transferred to the next address for the same operation, allowing the hacker to profit multiple times.
Aftermath#
Following the attack, the price of their $DYNA token dropped by more than 90%.
The team stated that they were working on an upgrade to the contract in order to include a reentrancy guard, and will also have their protocol audited.
They will additionally be buying back the $DYNA tokens, and distributing them to the affected users. They have also shared a recovery plan which includes wiping the treasury allocation in order to provide full DYNA distribution.
Solution#
In order to safeguard against exploits originating due to Reentrancy attack, a mutex can be used to make the function of a smart contract non-reentrant. Incomplete non-Reentrant mutex, on the other hand, can result in cross-contract or cross-function Reentrancy.
Another method for preventing reentrancy attacks is to use checks-effects-interactions design to ensure that all state changes take place internally before calling external smart contracts.
Additionally, many formal verification tools can also be used to ensure that the smart contract behaves as it is intended to. A team should also perform multiple security audits on their protocol to ensure that all potential vulnerabilities are identified and addressed in order to further secure the protocol.
We may not have prevented the occurrence of this hack, however the impact or aftermath of this attack could have been significantly reduced if the team associated with Dynamic Finance had set up a dedicated cover pool in the Neptune Mutual marketplace. We offer coverage to users who have suffered a loss of funds or digital assets occurring as a result of smart contract vulnerabilities owing to our parametric policies.
Users who purchase the available parametric cover policies do not need to provide loss evidence in order to receive payouts. Payouts can be claimed as soon as an incident is resolved through the incident resolution system. At the moment, our marketplace is available on two popular blockchain networks, Ethereum, and Arbitrum.
Neptune Mutual's security team would also have evaluated the platform for DNS and web-based security, frontend and backend security, intrusion detection and prevention, and other security considerations.
Reference Sources Certik, Beosin
