How Was Wise Lending Exploited?

5 min read

Learn how Wise Lending was exploited, resulting in a loss of assets worth $464,000.

TL;DR#

On January 12, 2024, the Wise Lending protocol was exploited on the Ethereum Mainnet due to a smart contract vulnerability, which resulted in a loss of over 177 ETH worth approximately $464,000.

Introduction to Wise Lending#

Wise Lending is a fully decentralized lending and borrowing protocol.

Vulnerability Assessment#

The root cause of the exploit is due to the precision loss in smart contract operations.

Steps#

Step 1:

We attempt to analyze the attack transaction executed by the exploiter.

Step 2:

The exploiter took advantage of a nearly empty PLP-stETH-Dec2025 market in Wise Lending, which was deployed just a day prior to the attack incident, in order to inflate the share price.

/**
 * @dev Helper function to convert {_amount}
 * of a certain pool with {_poolToken}
 * into lending shares. Includes devison
 * by zero and share security checks.
 * Needs latest pseudo amount for accurate
 * result.
 */
function calculateLendingShares(address _poolToken, uint256 _amount, bool _maxSharePrice) public view returns (uint256) {
  return _calculateShares(lendingPoolData[_poolToken].totalDepositShares * _amount, lendingPoolData[_poolToken].pseudoTotalPool, _maxSharePrice);
}

Step 3:

The subsequent calculation of the share distribution could easily result in a precision loss, following which most of the funds in the lending markets were borrowed by utilizing a substantial flash loan of 1,100 ETH.

The protocol used rounding up when calculating share withdrawals, allowing the attacker to repeatedly call the withdraw function with a unit amount.

function _calculateShares(
  uint256 _product,
  uint256 _pseudo,
  bool _maxSharePrice
)
  private
  pure
  returns (uint256)
{
  return _maxSharePrice == true
    ? _product % _pseudo == 0
      ? _product / _pseudo
      : _product / _pseudo + 1
    : _product / _pseudo;
}

Step 4:

This caused a mismatch between the protocol token balance and shares, enabling the attacker to manipulate prices for profits.

Step 5:

The protocol had implemented specific defenses against this type of attack, but these measures were either circumvented or turned against the protocol itself.

To execute a rounding donation attack successfully, one of the following conditions must be met: emptying or nearly emptying one key value, greatly increasing another key figure, or exploiting any resultant rounding discrepancies.

Step 6:

The protocol assessed whether there had been an increase in funds since the last action concluded and capped any additional gains to a specific amount over a period. Consequently, a direct transfer of funds to the contract wouldn't have a significant impact.

The protocol's design consistently favored itself over the user in terms of rounding. When depositing, the number of shares allocated would be rounded down, and during withdrawals, the number of shares to be burned would be rounded up.

Step 7:

Per reports, the attacker initially made a minimal deposit and then donated an amount just below the threshold. This maneuver successfully passed the check, despite the donation being 5,000,000 times greater than the initial deposit in terms of percentage.

The attacker then exploited the protocol's rounding method, which was biased against the user, by conducting a series of deposits and withdrawals designed to lose the maximum funds due to rounding, effectively transferring wealth to the protocol.

Step 8:

This implies that the checks for external donations were entirely overlooked, as these deliberate losses by the user occurred within the protocol's activities. The gains from rounding were immediately integrated into the protocol's fundamental figures and didn't seem to originate from yield or transferred funds.

Step 9:

At the time of this writing, the exploiter has already transferred all of the stolen assets worth 178.9377 ETH, amounting to $455,666, to this address.

Aftermath#

The team, so far, hasn't acknowledged the occurrence of the exploit.

Solution#

Addressing the exploit in Wise Lending requires a comprehensive and nuanced approach to enhance security and safeguard user assets. A key aspect of this strategy involves the implementation of robust mathematical functions within smart contracts to handle high-precision calculations. It is essential to use libraries or frameworks designed specifically for safe arithmetic operations in smart contract environments. Developers must ensure accurate handling of division, multiplication, and rounding operations to prevent precision loss, which can be exploited by malicious actors.

An additional protective measure is to implement checks and balances for markets with zero balance, especially when they are newly deployed. This could involve temporarily disabling certain functionalities until a minimum liquidity threshold is met or implementing time-locked functionalities that gradually introduce features as the market stabilizes. Monitoring tools can be set up to flag any unusual activity in these markets, allowing for prompt intervention if needed.

Moreover, to avoid the exploitation of empty pools, practices such as those adopted by Uniswap-based pools should be considered. Uniswap V2 reserves a minimum amount from the first deposit in a pool and sends the LP tokens to a dead address. Some protocols also ensure governance deposits to their new pools in the same transaction that activates them. Additionally, many modern vaults, instead of using only shares and assets, store the shares-to-assets ratio, calculate from that, and only allow slow changes to it. This approach, often decoupled from user actions, prevents anything internal or external from causing rapid inflation.

Formal verification is a powerful tool for ensuring the security and correctness of smart contracts. It involves mathematically proving that the code behaves as intended under all possible conditions. By applying formal verification techniques, developers can identify and rectify potential vulnerabilities and logic errors that might not be evident through traditional testing methods.

Despite the implementation of rigorous security measures, vulnerabilities can still be exploited. In such scenarios, Neptune Mutual plays a critical role. Establishing a dedicated cover pool with Neptune Mutual could significantly reduce the impact of attacks like the one on Wise Lending. We provide coverage for losses incurred due to smart contract vulnerabilities, thanks to their parametric policies.

Partnering with Neptune Mutual simplifies the process for users, eliminating the complex task of submitting detailed proof of loss. After an incident is verified and resolved using our incident resolution framework, we focus our shift on promptly compensating affected users and offering immediate financial support.

Our marketplace spans across several major blockchain networks, such as EthereumArbitrum, and the BNB chain. This wide reach allows us to serve a broad range of DeFi users, offering protection against vulnerabilities and bolstering their confidence in the ecosystem.

Reference Source PeckShield

By

Tags