3 min read

How Was Midas Capital Exploited

Learn how an attacker exploited Midas Capital using read-only Reentrancy attack.

midas-capital-read-only-reentrancy-attack-analysis

TL;DR#

On January 15, 2022, Midas Capital was exploited by a hacker, causing a loss of assets worth 663,101 MATIC amounting to over $660,000.

Introduction to Midas Capital#

Midas Capital is a cross-chain money market solution that unlocks and maximizes the usage of all digital assets.

Vulnerability Assessment#

The vulnerability stems from a miscalculation of token prices brought on by the read-only reentrancy issue which appeared while interacting with some Curve pools.

The read-only reentrancy attack leverage flaws in view methods that can be invoked from callbacks when contract storage is altered via manipulations using flash loan techniques.

Steps#

Step 1:

The attack transaction carried out by the exploiter can be viewed here.

Step 2:

According to the team, they had listed the WMATIC-stMATIC Curve LP token on their platform a few days ago with supply caps of about 250,000 and had not disclosed it.

Step 3:

The team had discussed the addition of such assets with the Jarvis Network team as a strategy to provide new options for pool users, and supply limitations were put in place to avoid excessive borrowing against such LP token.

Step 4:

These assets, however, were manipulated by means of a flash loan from Balancer V2, AAVE V3, and AAVE V2, which allowed the attacker to inflate the LP token price and borrow against it.

Step 5:

The attacker used 270,000 $WMATIC in collateral to mint about 131,000 jFIAT tokens. After a series of price changes, the attacker created a new contract and utilized 1/10 of the borrowed amount to liquidate the debt and redeem 103,000 jFIAT tokens.

Step 6:

The price was determined using the contract's get_virtual_price function, which relied on parameters self.D and totalSupply. Because of the Reentrancy attack, the contract burnt tokens before the unexpected callback, and the team may have overestimated the attack contract's position and lent extra assets to their contract.

Step 7:

As a result, the value of self.D during the attack increased by tenfold. Thus, with the same totalSupply parameters as the LP token, the token's price increased by 10 times.

Step 8:

Therefore, when the supplied liquidity was removed from Curve, the hacker triggered a callback that allowed them to borrow assets at an inaccurate price of the Curve LP in Midas Capital, increasing their collateral by tenfold.

Step 9:

The team evidently misjudged the impact of the re-entrancy attack on their oracle solution because they used a pool consisting entirely of wrapped assets.

Step 10:

The exploiter's initial gas fee came from HitBTC, and part of the profit were split to HitBTC, KuCoin, and Binance.

Aftermath#

Following the incident, the team tweeted that they had halted borrowing from the Jarvis Polygon pool while they look into the matter more thoroughly.

Solution#

Such attacks can be mitigated to a greater extent by utilizing a mutex, also known as a lock, to ensure that only one call to the contract's functions is executed at a time. This is accomplished by using a boolean variable as a lock and running the critical part of code only if the lock has not already been set.

It's also advisable to verify the call stack depth to make sure that an attacker can't repeatedly call the function triggering an infinite loop.

We may not have prevented the occurrence of this hack, however the impact or aftermath of this attack could have been significantly reduced if Midas Capital had a dedicated cover pool in the Neptune Mutual marketplace. We coverage to users who have suffered a loss of funds or digital assets occurring as a result of smart contract vulnerabilities owing to our parametric policies.

Users who purchase our parametric cover policy do not need to provide loss evidence in order to receive payouts. Payouts can be claimed as soon as an incident like this is resolved through our governance system.

Neptune Mutual's security team would also have evaluated the platform for DNS and web-based security, frontend and backend security, intrusion detection and prevention, and other security considerations.

Reference Sources Midas Capital, BlockSec

By