3 min read

How Was Upswing Finance Exploited?

Learn how an attacker utilized a flash loan attack to manipulate the price of Upswing Finance.

how-was-upswing-finance-exploited

TL;DR#

On January 17, 2023, a flash loan attack on Upswing Finance resulted in the loss of approximately 22.58 ETH, worth $35,800.

Introduction to Upswing Finance#

The domain for Upswing Finance cannot resolve to an IP address, and their Twitter account provides no project-specific details.

Vulnerability Assessment#

The vulnerability stems as a result of a flash loan attack, owing to the design flaw of UPStkn token, which allowed the hacker to manipulate its price in the liquidity pool.

Steps#

Step 1:

We took a closer look at the attack transaction executed by the exploiter, and the attack contract deployed by them.

Step 2:

According to the logic in the _transfer function of the contract, $UPStkn token would be accumulated when transferring, specifically if the receiving address is a pair address.

upswing-finance-transfer-function

Step 3:

If the receiver is a UNI pool, the amount of $UPStkn token in the pool will be burned, which will alter the pool pricing and provide the hacker an opportunity to make profit from it.

upswing-finance-release-function

Step 4:

The attacker utilized about 18 swaps to lift $UPStkn token selling pressure, exchanging 1.31 ETH for 136,299.97 UPStkn tokens.

Step 5:

The attacker transferred 0 UPStkn tokens to himself to trigger the internal function releasePressure, which burned the LP's 573,300.39 UPStkn tokens in order to increase the price of UPStkn.

Step 6:

The attacker then sold the earlier obtained 136,299.97 UPStkn for a profit of 22.589 ETH after manipulating the token price.

Aftermath#

The project appears to be dormant since October 2020. The circumstance appears sketchy, with few updates on their Twitter account and limited availability of members on Telegram. There has been no acknowledgement of the incident by the team.

Solution#

Attacks of such nature leading to oracle price manipulation can also be regulated to a greater extent using data providers like ChainLink.

We discovered that the team had completed their protocol audit through one of the industry audit firm. Although this is a positive step toward securing the protocol, it's critical to remember that relying on a single security partner for an audit may not provide a comprehensive review of all potential vulnerabilities. Any team should conduct further security evaluations with multiple partners to make sure that all potential vulnerabilities have been identified and addressed in order to further secure the protocol. This strategy can help to ensure the safety of users' assets and aid to provide a more full understanding of the security of the protocol.

We may not have prevented the occurrence of this hack, however the impact or aftermath of this attack could have been significantly reduced if the team associated with Upswing Finance had a dedicated cover pool in the Neptune Mutual marketplace. We offer coverage to users who have suffered a loss of funds or digital assets occurring as a result of smart contract vulnerabilities owing to our parametric policies.

Users who purchase our parametric cover policy do not need to provide loss evidence in order to receive payouts. Payouts can be claimed as soon as an incident like this is resolved through our governance system.

Neptune Mutual's security team would also have evaluated the platform for DNS and web-based security, frontend and backend security, intrusion detection and prevention, and other security considerations.

Reference Source QuillAudits

By