TL;DR#
On May 22, 2023, the DeFi protocol LunaFi was exploited on the Polygon chain, resulting in a total loss of approximately $35,000.
Introduction to LunaFi#
LunaFi is a peerless and decentralized DeFi betting protocol that provides users with a trustless and secure environment to gamble, invest, and much more.
Vulnerability Assessment#
The root cause of the vulnerability is due to the lack of a time lock for the user's staking balance.
Steps#
Step 1:
We attempted to analyse one of the attack transactions executed by the exploiter.
Step 2:
The attacker deployed a malicious contract and used it to exploit the protocol across a series of transactions; thus, the exploit continued for almost an hour.
Step 3:
The exploiter is initially funded on the BNB chain via Tornado Cash.
Step 4:
As viewed from this contact implementation, there's no time lock mechanism on the claimRewards function while claiming the staking rewards.
Step 5:
The exploiter therefore deposit their funds, and called the swap, tranfer, and claim rewards function to take away their share of profits.
Step 6:
At the time of this writing, the attacker's wallet holds 19.49 WETH, and 405 MATIC totalling approximately $36,526 worth of funds.
Aftermath#
Following the exploit, the price of their token plunged by 96%.
The team acknowledged the occurrence of the exploit on the Staking Rewards contract and stated that they have implemented security measures on the BTC, ETH, and USDC pools.
The Quickswap ETH/LFI pool was drained of 18.9 ETH worth of funds, and any of the other ETH, WBTC, or USDC remained unaffected. The team has implemented a 7-day cooldown period on withdrawals.
Their next course of action includes fixing the LFI staking rewards, reimbursing the affected users, and adding liquidity to the market in order to recover the token's price.
Solution#
It is critical to understand that no security measure is perfect, but implementing rigorous security standards can greatly reduce the risk of all such attacks on DeFi protocols. These standards can aid in identifying and addressing potential attack vectors before they are exploited by attackers.
Many formal verification tools can also be used to ensure that the smart contract behaves as it is intended to. Independent third-party auditors should conduct regular smart contract audits to identify vulnerabilities and recommend mitigation strategies.
We may not have prevented the occurrence of this hack, however the impact or aftermath of this attack could have been significantly reduced if the team associated with LunaFi protocol had set up a dedicated cover pool in the Neptune Mutual marketplace. We offer coverage to users who have suffered a loss of funds or digital assets occurring as a result of smart contract vulnerabilities owing to our parametric policies.
Users who purchase the available parametric cover policies do not need to provide loss evidence in order to receive payouts. Payouts can be claimed as soon as an incident is resolved through the incident resolution system. At the moment, our marketplace is available on two popular blockchain networks, Ethereum, and Arbitrum.
Neptune Mutual's security team would also have evaluated the platform for DNS and web-based security, frontend and backend security, intrusion detection and prevention, and other security considerations.
Reference Source Hypernative
