TL;DR#
On August 14, 2023, Rocketswap was exploited, which resulted in a loss of 471 ETH, worth approximately $868,000.
Introduction to Rocketswap#
RocketSwap is a protocol to trade on Base and provide liquidity automatically.
Vulnerability Assessment#
The root cause of the exploit is due to the compromise of the private keys.
Steps#
Step 1:
We attempt to analyze the attack transaction executed by the exploiter.
Step 2:
According to the team, they needed to use offline signatures when deploying the launchpad and put the private keys on the server.
Step 3:
The attacker apparently performed a brute force attack on the server and exploited a proxy contract used for the farm contract, which led to the unauthorized asset transfers.
Step 4:
The attacker swapped the stolen assets for 472 ETH and bridged them to Ethereum via the Stargate bridge.
Step 5:
The funds are currently held at the attacker's address and in a uniswap V2 LoveRCKT pool they created.
Aftermath#
Following the exploit, the team acknowledged the occurrence of the exploit and stated that they had detected an anomaly on the farm contracts.
They shut down the contracts to prevent further damage and worked on an emergency plan. Meanwhile, their Telegram group was banned for the time being, and posts on Twitter were only allowed to be commented on by users whom they explicitly mentioned in each of the threads.
According to them, they will introduce a new open-sourced farm contract, advancing the production reduction by 0.075 per block. Minting rights will be relinquished, with only low-risk pool allocation rights retained. Initial liquidity and 80k tokens will be locked for an additional year, and LaunchPad updates will continue. Telegram groups will reopen post-stabilization, and they also urged hackers to return the stolen assets.
They also devised an airdrop program, specifically aimed at compensating those users who suffered damage to their farms and vaults.
Solution#
The exploit of Rocketswap serves as a poignant reminder of the vulnerabilities inherent to the rapidly evolving digital asset industry. At the core of the problem was the decision to store private keys on a server, a critical security lapse, especially when they were used for offline signatures during the launchpad deployment. This oversight made the server a prime target for attackers, eventually resulting in unauthorized asset transfers through a proxy contract linked to the farm contract.
It is imperative to understand that private keys must never be stored on servers. They should be kept offline in cold storage, isolated from potential online threats. When it's necessary to use them, one should consider hardware-based signing methods, like hardware security modules (HSMs) or secure enclave technologies. For crucial decisions or transactions, one should adopt a multi-signature mechanism, ensuring that a single compromised key doesn't grant full access.
The DeFi space, while promising, has its fair share of pitfalls. Rugpulls, scams, and exploits have unfortunately become commonplace. As users, it's imperative to exercise caution and carry out due diligence. A transparent team with a proven track record in the blockchain space can offer some reassurance. Users should also delve deep into the use case of the token and how it fits into the larger ecosystem. Tokenomics should align with the project's long-term vision, and the distribution should be fair and transparent. A vibrant and engaged community can also be a good indicator of a project's credibility.
Although rigorous security measures are essential, vulnerabilities can sometimes emerge. This is where Neptune Mutual becomes invaluable, offering protection for users. Had Rocketswap partnered with Neptune Mutual to set up a specific coverage pool before the incident, the fallout might have been significantly mitigated. At Neptune Mutual, we understand the intricacies of the DeFi landscape, which is why we offer coverage to users who might face losses from vulnerabilities in smart contracts.
Our avant-garde parametric policies ensure that users are not mired in bureaucratic processes when proving their losses. Instead, they can readily claim their payouts, post an incident's confirmation and resolution through our rigorous incident resolution framework.
Our marketplace is available on several renowned blockchain networks, including Ethereum, Arbitrum, and the BNB chain. With this expansive network, we cater to a vast range of DeFi enthusiasts, shielding them from potential risks and bolstering their trust in the ecosystem.
Reference Source Beosin
