TL;DR#
On January 03, 2022, the GDS Chain was exploited via a flash loan attack, resulting in a loss of approximately $187,000.
Introduction to GDS Chain#
GDS, according to their Twitter account, is a business application public chain that investigates the use of blockchain technology to enhance multiple value transmission and contribution distribution methods.
Vulnerability Assessment#
The root cause of the attack is due to the vulnerability in one of the smart contract functions which allowed the liquidity pool mining mechanism to be manipulated by transferring a large amount of tokens using flash loan, resulting in the receiver address gaining additional GDS tokens.
Steps#
Step 1:
GDS token is designed to reward users who add liquidity to the GDS - USDT pair in each epoch.
Step 2:
The lpRewardAmount is calculated as the total reward amount (a global variable) multiplied by the LP token balance, divided by the total support for the liquidity pool token. As a result, users with higher staking balances would receive higher rewards.
Step 3:
The exploiter initially borrowed 2.38 million $USDT through a flash loan.
Step 4:
After that, they exchanged 0.6 million $USDT for 3.4 million $GDS tokens.
Step 5:
They added the remaining 1.7 million $USDT in liquidity, and the earlier obtained 3.4 million $GDS tokens to PancakeSwap in exchange for 2.2 million LP tokens.
Step 6:
Using these, they were able to collect the rewards from the $GDS token contract and then transfer the LP tokens to another contract.
Step 7:
This step was repeated approximately 70 times to collect higher rewards until the liquidity was removed and the flash loan amount was repaid.
Step 8:
These transactions netted 39,000 $USDT and nearly 10.3 million $GDS tokens worth approximately $148,000.
Step 9:
A portion of the harvested fund was bridged to TRON via Swift Swap, while the remainder is available at their address on the BSC chain
Aftermath#
During the attack, the price of the $GDS token reached a high of $0.49 before falling to $0.01 at the time of writing. The team has not issued a statement concerning the attack.
Solution#
Many attacks in the DeFi landscape appear to be coordinated by the team or members within the team to funnel out funds for personal benefit. In the absence of an incident response and recovery plan, it could be speculated that the event was pre-planned. Users should always confirm the authenticity of a team and its tokens before investing in them.
One potential avenue to alleviate the impact of such attacks lies in the offerings of Neptune Mutual. While it may not prevent the occurrence of hacks, having a dedicated cover pool within the marketplace could have significantly mitigated the consequences of the GDS Chain exploit. By providing coverage to users who suffer losses due to smart contract vulnerabilities, it serves as a crucial safety net for the DeFi community.
Neptune Mutual's parametric cover policy, which doesn't necessitate extensive loss evidence, offers a streamlined approach to claim payouts. Users can access payouts as soon as the incident is resolved through the governance system, expediting the recovery process.
Additionally, Neptune Mutual's robust security evaluation, encompassing aspects such as DNS and web-based security, frontend and backend security, intrusion detection and prevention, and more, reinforces its commitment to fortify the DeFi landscape against potential threats.
Reference Sources: BlockSec, Beosin
