TL;DR#
On January 03, 2022, the GDS Chain was exploited via a flash loan attack, resulting in a loss of approximately $187,000.
Introduction to GDS Chain#
GDS, according to their Twitter account, is a business application public chain that investigates the use of blockchain technology to enhance multiple value transmission and contribution distribution methods.
Vulnerability Assessment#
The root cause of the attack is due to the vulnerability in one of the smart contract functions which allowed the liquidity pool mining mechanism to be manipulated by transferring a large amount of tokens using flash loan, resulting in the receiver address gaining additional GDS tokens.
Steps#
Step 1:
GDS token is designed to reward users who add liquidity to the GDS - USDT pair in each epoch.
Step 2:
The lpRewardAmount is calculated as the total reward amount (a global variable) multiplied by the LP token balance, divided by the total support for the liquidity pool token. As a result, users with higher staking balances would receive higher rewards.
Step 3:
The exploiter initially borrowed 2.38 million $USDT through a flash loan.
Step 4:
After that, they exchanged 0.6 million $USDT for 3.4 million $GDS tokens.
Step 5:
They added the remaining 1.7 million $USDT in liquidity, and the earlier obtained 3.4 million $GDS tokens to PancakeSwap in exchange for 2.2 million LP tokens.
Step 6:
Using these, they were able to collect the rewards from the $GDS token contract and then transfer the LP tokens to another contract.
Step 7:
This step was repeated approximately 70 times to collect higher rewards until the liquidity was removed and the flash loan amount was repaid.
Step 8:
These transactions netted 39,000 $USDT and nearly 10.3 million $GDS tokens worth approximately $148,000.
Step 9:
A portion of the harvested fund was bridged to TRON via Swift Swap, while the remainder is available at their address on the BSC chain
Aftermath#
During the attack, the price of the $GDS token reached a high of $0.49 before falling to $0.01 at the time of writing. The team has not issued a statement concerning the attack.
Solution#
Many attacks in the DeFi landscape appear to be coordinated by the team or members within the team to funnel out funds for personal benefit. In the absence of an Incident response and recovery plan, it could be speculated that the event was pre-planned. Users should always confirm the authenticity of a team and its tokens before investing in them.
We may not have prevented the occurrence of this hack, however the impact or aftermath of this attack could have been significantly reduced if GDS Chain had a dedicated cover pool in the Neptune Mutual marketplace. We provide coverage to users who have lost funds as a result of smart contract vulnerabilities, but exclude those driven by flash loans or price manipulation attacks, however we are open to make exceptions in many situations.
Users who purchase our parametric cover policy do not need to provide loss evidence in order to receive payouts. Payouts can be claimed as soon as an incident like this is resolved through our governance system.
Neptune Mutual's security team would also have evaluated the platform for DNS and web-based security, frontend and backend security, intrusion detection and prevention, and other security considerations.
Reference Sources: BlockSec, Beosin
