TL;DR#
On April 4, 2023, Sentiment Protocol was exploited on Arbitrum Chain due to a read-only reentrancy vulnerability, resulting in a loss of approximately $1 million.
Introduction to Sentiment#
Sentiment is a liquidity protocol that permits on-chain permissionless undercollateralized borrowing.
Vulnerability Assessment#
The root cause of the exploit is the well-known re-entrancy vulnerability of Balancer, due to which the attacker was able to execute a malicious contract before updating the pool balances in order to steal the funds using an overpriced collateral.
Steps#
Step 1:
We attempted to analyze the attack transaction executed by the exploiter.
Step 2:
The Sentiment contract gets the price of the LP tokens from the WeightedBalancerLPOracle contract. The price oracle depends on the balance of the assets in the pool and the total supply of the LP tokens (B-33 WETH, 33 WBTC, and 33 USDC) in order to calculate the price.
Step 3:
The attacker invoked a function of the Balancer vault using a flash loan of 606 WBTC, 10,130 WETH, and 18.58 million USDC tokens, which ultimately increased the total supply of the LP token.
Step 4:
Then, the attacker withdrew the assets by calling one of the functions of the oracle contract that calculated the token price inaccurately, after which tokens including 606.8 WBTC, 1k ETH, and 17.9m USDC were subsequently transferred.
Step 5:
Amongst these transfers, the transfer of ETH tokens triggered the fallback function of the exploiter contract.
Step 6:
In the fallback function, the total supply of the LP tokens is decreased, but the recorded balances of WBTC, WETH, and USDC are not updated in the pool. This caused the price of the tokens to be tilted, allowing the attacker to borrow multiple assets at the tilted price.
Step 7:
The borrowed funds were returned, and a total profit of approximately $1 million was transferred from the attacker's address on Arbitrum to Ethereum using the Celer Network.
Aftermath#
Following the attack, the team posted on Twitter to acknowledge the occurrence of the incident.
They stated that they have taken appropriate steps to identify the root cause of the exploit and mitigate any further losses. According to them, they are in contact with law enforcement agencies and third-party security firms in order to secure the remaining funds and recover the stolen assets.
The Sentiment main contract was paused in order to restrict the protocol functionality to withdraw-only, and the team was able to remediate the vulnerability with the help of security auditors.
The team has also sent an on-chain message to the hacker that outlines a reward of $95,000 if the assets are returned by 8 AM UTC on April 6. Conversely, the reward will be distributed to those who will help in providing any relevant information about the hacker if the funds are not returned as stipulated.
Solution#
When developing smart contracts, integrations must also be considered. If reentrancy locks are already in place, numerous security solutions may be applicable for the security of the project.
The reentrancy locks can be made public so that developers can choose whether or not to revert in the event that the lock is activated. If the lock is active, revert in the view function.
Independent third-party auditors should conduct regular smart contract audits to identify vulnerabilities and recommend mitigation strategies. This can aid in identifying and addressing potential attack vectors before they are exploited by attackers.
We may not have prevented the occurrence of this hack, however the impact or aftermath of this attack could have been significantly reduced if Sentiment Protocol had set up a dedicated cover pool in the Neptune Mutual marketplace. We offer coverage to users who have suffered a loss of funds or digital assets occurring as a result of smart contract vulnerabilities owing to our parametric policies.
Users who purchase the available parametric cover policies do not need to provide loss evidence in order to receive payouts. Payouts can be claimed as soon as an incident is resolved through the incident resolution system. At the moment, our marketplace is available on two popular blockchain networks, Ethereum, and Arbitrum.
Neptune Mutual's security team would also have evaluated the platform for DNS and web-based security, frontend and backend security, intrusion detection and prevention, and other security considerations.
Reference Source CertiK
