TL;DR#
On April 12, 2023, MetaPoint was exploited due to a smart contract vulnerability, which resulted in the loss of funds worth approximately $920,000.
MetaPoint is an online virtual world where players can participate in virtual reality activities such as games, management, finance, construction, entertainment, etc. in order to obtain economic benefits and pleasant experiences.
Vulnerability Assessment#
The root cause of the vulnerability is due to the existence of a public approval function, which was exploited to transfer all of the user's assets.
Steps#
Step 1:
We attempted to analyze the attack transaction executed by the exploiter.
Step 2:
One of their contracts contained an open approval function that allowed the attackers to obtain the full amount of the user’s deposit.
Step 3:
The exploiter created attack contracts to invoke a call to the approve function of this contract in bulk and approved the maximum value.
Step 4:
At the time of this writing, this attacker has control over approximately $98,000 worth of assets, while the other attacker has already transferred 2515 $BNB tokens worth approximately $814,000.
Aftermath#
Following the attack, the team acknowledged the incident and asked to stop all interactions with the contract.
They will apparently turn to a third-party auditor in order to perform a security audit of their code base and will also look forward to formulating and announcing their next course of action.
Solution#
It is critical to understand that no security measure is perfect, but implementing a few strategies can greatly reduce the risk of all such attacks on DeFi protocols.
Independent third-party auditors should conduct regular smart contract audits to identify vulnerabilities and recommend mitigation strategies. This can aid in identifying and addressing potential attack vectors before they are exploited by attackers.
A protocol should also restrict the permissions granted to users to only those required to use the protocol. Users, in particular, should not be given the ability to change critical protocol functionalities.
We may not have prevented the occurrence of this hack, however the impact or aftermath of this attack could have been significantly reduced if the team associated with MetaPoint had set up a dedicated cover pool in the Neptune Mutual marketplace. We offer coverage to users who have suffered a loss of funds or digital assets occurring as a result of smart contract vulnerabilities owing to our parametric policies.
Users who purchase the available parametric cover policies do not need to provide loss evidence in order to receive payouts. Payouts can be claimed as soon as an incident is resolved through the incident resolution system. At the moment, our marketplace is available on two popular blockchain networks, Ethereum, and Arbitrum.
Neptune Mutual's security team would also have evaluated the platform for DNS and web-based security, frontend and backend security, intrusion detection and prevention, and other security considerations.
Reference Source CertiK
