3 min read

Nimbus Platform Flash Loan Attack

On December 14, 2022, NimbusPlatform was exploited using flash loan attack

Nimbus Platform Flash Loan Attack Cover

TL;DR#

On December 14, 2022, NimbusPlatform on BSC chain was exploited using flash loan attack, with the attacker profiting 278 BNB, worth approximately $76,000.

Introduction to Nimbus#

Nimbus is a DAO-governed platform that provides users with multiple earning strategies backed up by numerous levels of risk control.

Vulnerability Assessment#

The root cause of this vulnerability is due to the flaw in rewards computation, which only depend on the number of tokens in the pool, leading to being manipulated by flash loans, to obtain more rewards than expected.

Steps#

Step 1:

We attempted to decode the attack transaction executed by the preparator.

Step 2:

To compute the staking reward, the price feeds of $NIMB and $GNIMB, the reward token, are required. The price of $NIMB, on the other hand, is computed using the manipulated $NIMB minus $NBU_WBNB pair.

Nimbus Exploiter Transaction Call Stack

Nimbus Exploiter Transaction Call Stack. Courtesy of BscScan.

Step 3:

As a result, the oracle can be manipulated, allowing the hacker to claim more collateral rewards.

Step 4:

The exploitor borrowed 75,477 $BNB and swapped it for $NBU_WBNB to withdraw the majority of the $NIMB from the pool.

Nimbus Exploiter Flash Loan Borrow

Step 5:

Since the computation of the token reward was proportional to the ratio of $NIMB and $GNIMB in the pool, the call to the getReward function in the Staking contract enabled the hacker to obtain a far higher reward than anticipated.

Step 6:

Prior to the attack, the ratio of Nimbus Utility tokens to Nimbus Governance tokens was 0.069:1, but owing to flashloan and swap, the ratio climbed to 2919.7:1, resulting in a significantly greater payout.

Step 7:

The exploiter then swapped $GNIMB for $BNB in order to repay the flash loan.

Step 8:

The profit from these transactions are now being held at this address.

Aftermath#

The team hasn’t provided any coverage to the incident.

Solution#

It is essential to carefully evaluate the design of the token reward in order to achieve a perfect equilibrium between the token's liquidity and security. Attacks of such nature leading to oracle price manipulation can also be regulated to a greater extent using data providers like ChainLink.

The impact of this attack could have been significantly reduced if NimbusPlatform had a dedicated cover pool in the Neptune Mutual marketplace. Our standard terms and conditions restrict coverage for exploits that originate from flash loans, however we are open to make exceptions in some cases.

Users who purchase our parametric cover policies do not need to provide loss evidence in order to receive payouts. Payouts can be claimed as soon as an incident like this is resolved through our governance system.

Additionally, auditing the smart contracts for vulnerabilities is insufficient due to the existence of varying attack vectors. Neptune Mutual's security team can also assess your preferred protocol for DNS and web-based security, smart contract evaluations, and frontend and backend security.

Reference Source BlockSecSlowMist

By