By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage and assist in our marketing efforts.
On December 14, 2022, NimbusPlatform on BSC chain was exploited using flash loan attack, with the attacker profiting 278 BNB, worth approximately $76,000.
The root cause of this vulnerability is due to the flaw in rewards computation, which only depend on the number of tokens in the pool, leading to being manipulated by flash loans, to obtain more rewards than expected.
To compute the staking reward, the price feeds of $NIMB and $GNIMB, the reward token, are required. The price of $NIMB, on the other hand, is computed using the manipulated $NIMB minus $NBU_WBNB pair.
Nimbus Exploiter Transaction Call Stack. Courtesy of BscScan.
Step 3:
As a result, the oracle can be manipulated, allowing the hacker to claim more collateral rewards.
Step 4:
The exploitor borrowed 75,477 $BNB and swapped it for $NBU_WBNB to withdraw the majority of the $NIMB from the pool.
Step 5:
Since the computation of the token reward was proportional to the ratio of $NIMB and $GNIMB in the pool, the call to the getReward function in the Staking contract enabled the hacker to obtain a far higher reward than anticipated.
Step 6:
Prior to the attack, the ratio of Nimbus Utility tokens to Nimbus Governance tokens was 0.069:1, but owing to flashloan and swap, the ratio climbed to 2919.7:1, resulting in a significantly greater payout.
Step 7:
The exploiter then swapped $GNIMB for $BNB in order to repay the flash loan.
Step 8:
The profit from these transactions are now being held at this address.
It is essential to carefully evaluate the design of the token reward in order to achieve a perfect equilibrium between the token's liquidity and security. Attacks of such nature leading to oracle price manipulation can also be regulated to a greater extent using data providers like ChainLink.
The impact of this attack could have been significantly reduced if NimbusPlatform had a dedicated cover pool in the Neptune Mutual marketplace. Our standard terms and conditions restrict coverage for exploits that originate from flash loans, however we are open to make exceptions in some cases.
Users who purchase our parametric cover policies do not need to provide loss evidence in order to receive payouts. Payouts can be claimed as soon as an incident like this is resolved through our governance system.
Additionally, auditing the smart contracts for vulnerabilities is insufficient due to the existence of varying attack vectors. Neptune Mutual's security team can also assess your preferred protocol for DNS and web-based security, smart contract evaluations, and frontend and backend security.
We have sent email confirmation. Please confirm to receive our
newsletter.
Unfortunately, something went wrong while trying to complete your
request. Please try again later. If the problem persists, do not
hesitate to let us know through the community channels.
