How Was Midas Capital Exploited

3 min read
Midas capital read only reentrancy attack analysis

Learn how an attacker exploited Midas Capital using read-only Reentrancy attack.

TL;DR#

On January 15, 2023, Midas Capital was exploited by a hacker, causing a loss of assets worth 663,101 MATIC amounting to over $660,000.

Introduction to Midas Capital#

Midas Capital is a cross-chain money market solution that unlocks and maximizes the usage of all digital assets.

Vulnerability Assessment#

The vulnerability stems from a miscalculation of token prices brought on by the read-only reentrancy issue which appeared while interacting with some Curve pools.

The read-only reentrancy attack leverage flaws in view methods that can be invoked from callbacks when contract storage is altered via manipulations using flash loan techniques.

Steps#

Step 1:

The attack transaction carried out by the exploiter can be viewed here.

Step 2:

According to the team, they had listed the WMATIC-stMATIC Curve LP token on their platform a few days ago with supply caps of about 250,000 and had not disclosed it.

Step 3:

The team had discussed the addition of such assets with the Jarvis Network team as a strategy to provide new options for pool users, and supply limitations were put in place to avoid excessive borrowing against such LP token.

Step 4:

These assets, however, were manipulated by means of a flash loan from Balancer V2, AAVE V3, and AAVE V2, which allowed the attacker to inflate the LP token price and borrow against it.

Step 5:

The attacker used 270,000 $WMATIC in collateral to mint about 131,000 jFIAT tokens. After a series of price changes, the attacker created a new contract and utilized 1/10 of the borrowed amount to liquidate the debt and redeem 103,000 jFIAT tokens.

Step 6:

The price was determined using the contract's get_virtual_price function, which relied on parameters self.D and totalSupply. Because of the Reentrancy attack, the contract burnt tokens before the unexpected callback, and the team may have overestimated the attack contract's position and lent extra assets to their contract.

Step 7:

As a result, the value of self.D during the attack increased by tenfold. Thus, with the same totalSupply parameters as the LP token, the token's price increased by 10 times.

Step 8:

Therefore, when the supplied liquidity was removed from Curve, the hacker triggered a callback that allowed them to borrow assets at an inaccurate price of the Curve LP in Midas Capital, increasing their collateral by tenfold.

Step 9:

The team evidently misjudged the impact of the re-entrancy attack on their oracle solution because they used a pool consisting entirely of wrapped assets.

Step 10:

The exploiter's initial gas fee came from HitBTC, and part of the profit were split to HitBTC, KuCoin, and Binance.

Aftermath#

Following the incident, the team tweeted that they had halted borrowing from the Jarvis Polygon pool while they look into the matter more thoroughly.

Solution#

Midas Capital encountered an unfortunate incident when a hacker exploited a vulnerability, resulting in a substantial loss of 663,101 MATIC tokens, valued at over $660,000. Positioned as a cross-chain money market solution to maximize digital asset usage, Midas Capital's breach highlighted the intricate challenges within the DeFi ecosystem.

The vulnerability's source was traced back to a miscalculation of token prices stemming from a read-only reentrancy issue triggered during interactions with Curve pools. This attack leveraged vulnerabilities in view methods that could be invoked from callbacks, ultimately allowing the attacker to manipulate token prices via flash loan techniques.

The solution to mitigate such attacks involves leveraging mutexes or locks to ensure the execution of a contract's functions in a serialized manner. Additionally, verifying the call stack depth is essential to prevent infinite loop-triggering attacks.

In the context of asset protection and mitigation of attack aftermaths, Neptune Mutual emerges as a powerful ally. Although preventing every hack might be an elusive goal, our dedicated cover pool within the Neptune Mutual marketplace could have significantly reduced the impact of the Midas Capital attack. Our parametric policies empower users who experience losses due to smart contract vulnerabilities to claim payouts without requiring exhaustive loss evidence once incidents are resolved through our governance system.

Reference Sources Midas Capital, BlockSec

By Tags