TL;DR#
On April 4, 2023, Sentiment Protocol was exploited on Arbitrum Chain due to a read-only reentrancy vulnerability, resulting in a loss of approximately $1 million.
Introduction to Sentiment#
Sentiment is a liquidity protocol that permits on-chain permissionless undercollateralized borrowing.
Vulnerability Assessment#
The root cause of the exploit is the well-known re-entrancy vulnerability of Balancer, due to which the attacker was able to execute a malicious contract before updating the pool balances in order to steal the funds using an overpriced collateral.
Steps#
Step 1:
We attempted to analyze the attack transaction executed by the exploiter.
Step 2:
The Sentiment contract gets the price of the LP tokens from the WeightedBalancerLPOracle contract. The price oracle depends on the balance of the assets in the pool and the total supply of the LP tokens (B-33 WETH, 33 WBTC, and 33 USDC) in order to calculate the price.
Step 3:
The attacker invoked a function of the Balancer vault using a flash loan of 606 WBTC, 10,130 WETH, and 18.58 million USDC tokens, which ultimately increased the total supply of the LP token.
Step 4:
Then, the attacker withdrew the assets by calling one of the functions of the oracle contract that calculated the token price inaccurately, after which tokens including 606.8 WBTC, 1k ETH, and 17.9m USDC were subsequently transferred.
Step 5:
Amongst these transfers, the transfer of ETH tokens triggered the fallback function of the exploiter contract.
Step 6:
In the fallback function, the total supply of the LP tokens is decreased, but the recorded balances of WBTC, WETH, and USDC are not updated in the pool. This caused the price of the tokens to be tilted, allowing the attacker to borrow multiple assets at the tilted price.
Step 7:
The borrowed funds were returned, and a total profit of approximately $1 million was transferred from the attacker's address on Arbitrum to Ethereum using the Celer Network.
Aftermath#
Following the attack, the team posted on Twitter to acknowledge the occurrence of the incident.
They stated that they have taken appropriate steps to identify the root cause of the exploit and mitigate any further losses. According to them, they are in contact with law enforcement agencies and third-party security firms in order to secure the remaining funds and recover the stolen assets.
The Sentiment main contract was paused in order to restrict the protocol functionality to withdraw-only, and the team was able to remediate the vulnerability with the help of security auditors.
The team has also sent an on-chain message to the hacker that outlines a reward of $95,000 if the assets are returned by 8 AM UTC on April 6. Conversely, the reward will be distributed to those who will help in providing any relevant information about the hacker if the funds are not returned as stipulated.
Solution#
This incident on Sentiment Protocol underscores the complex nature of DeFi exploits, particularly when intricate mechanisms like on-chain oracles and flash loans are at play. The presence of the re-entrancy vulnerability in the Balancer, which was key to this exploit, highlights the essence of a holistic security approach, not just at the smart contract level but also at the integration level.
It's worth noting that integration is as significant as the development of the main contract. When working with contracts and their interdependencies, one cannot simply rely on inbuilt security mechanisms like reentrancy locks. Instead, these locks should be made transparent, allowing developers the discretion to intervene when abnormal behaviors are detected.
However, while proactive measures are essential, reactive solutions hold equal significance. Independent third-party audits are vital and can shed light on hidden vulnerabilities and suggest potential countermeasures. Yet, what happens after a security breach is equally, if not more, crucial.
This is where Neptune Mutual comes into play. Even if the hack had taken place, the devastating financial aftermath could have been significantly alleviated had Sentiment Protocol integrated with Neptune Mutual. We at Neptune Mutual offer specialized coverage against losses stemming from smart contract vulnerabilities, thanks to our intuitive parametric policies. Such a partnership would have ensured that affected users were not left stranded but instead were reassured by the prompt payouts from our incident resolution system.
Furthermore, purchasing these parametric cover policies from Neptune Mutual would have freed users from the cumbersome task of providing loss evidence. In the aftermath of an already distressing situation, such streamlined processes make a world of difference. With our presence on both Ethereum and Arbitrum, we offer a broad coverage range, effectively serving a diverse array of DeFi users.
Lastly, it's not just about compensation. Our specialized security team at Neptune Mutual, with its vast expertise, could have evaluated Sentiment Protocol from multiple vantage points, including DNS, web-based security, and intrusion detection, ensuring that all possible vulnerabilities are addressed and secured.
Reference Source CertiK
