TL;DR#
On May 22, 2023, the DeFi protocol LunaFi was exploited on the Polygon chain, resulting in a total loss of approximately $35,000.
Introduction to LunaFi#
LunaFi is a peerless and decentralized DeFi betting protocol that provides users with a trustless and secure environment to gamble, invest, and much more.
Vulnerability Assessment#
The root cause of the vulnerability is due to the lack of a time lock for the user's staking balance.
Steps#
Step 1:
We attempted to analyse one of the attack transactions executed by the exploiter.
Step 2:
The attacker deployed a malicious contract and used it to exploit the protocol across a series of transactions; thus, the exploit continued for almost an hour.
Step 3:
The exploiter is initially funded on the BNB chain via Tornado Cash.
Step 4:
As viewed from this contact implementation, there's no time lock mechanism on the claimRewards function while claiming the staking rewards.
Step 5:
The exploiter was therefore able to deposit their funds, and invoke a call to the swap, transfer, and claim rewards function to take away their share of profits.
Step 6:
At the time of this writing, the attacker's wallet holds 19.49 WETH, and 405 MATIC totalling approximately $36,526 worth of funds.
Aftermath#
Following the exploit, the price of their token plunged by 96%.
The team acknowledged the occurrence of the exploit on the Staking Rewards contract and stated that they have implemented security measures on the BTC, ETH, and USDC pools.
The Quickswap ETH/LFI pool was drained of 18.9 ETH worth of funds, and any of the other ETH, WBTC, or USDC remained unaffected. The team has implemented a 7-day cooldown period on withdrawals.
Their next course of action includes fixing the LFI staking rewards, reimbursing the affected users, and adding liquidity to the market in order to recover the token's price.
Solution#
This incident highlights the importance of robust and secure contract designs in DeFi protocols. Several measures could be taken to prevent similar incidents.
The contract should incorporate a time-lock mechanism for sensitive operations like claiming staking rewards. This mechanism prevents the immediate execution of these operations and gives other participants the opportunity to react. Additionally, all contracts should be thoroughly audited, preferably by an independent third party. This could help to identify and rectify potential vulnerabilities and weaknesses before they are exploited. A provision for emergency shutdowns can help halt the system in case of suspected malicious activity, protecting users' funds.
We may not have prevented the occurrence of this hack, but the impact or aftermath of this attack could have been significantly reduced if the team associated with LunaFi had set up a dedicated cover pool in the Neptune Mutual marketplace. We offer coverage to users who have suffered a loss of funds or digital assets as a result of smart contract vulnerabilities owing to our parametric policies.
Users who purchase the available parametric cover policies do not need to provide loss evidence in order to receive payouts. Payouts can be claimed as soon as an incident is resolved through the incident resolution system. At the moment, our marketplace is available on two popular blockchain networks: Ethereum and Arbitrum.
Neptune Mutual's security team would also have evaluated the platform for DNS and web-based security, frontend and backend security, intrusion detection and prevention, and other security considerations.
Reference Source Hypernative
