TL;DR#
On January 11, 2023, Roe Finance was exploited using a price manipulation attack, causing a loss of $80,000.
Introduction to Roe Finance#
Roe Finance is a non-custodial liquidity markets protocol built on top of AAVE. It is based on the largest derivative opportunity embedded in Uniswap and tries to solve the impermanent loss for liquidity providers.
Vulnerability Assessment#
The root cause of the vulnerability is due to the limited liquidity of the pool, which led to the manipulation of the price oracle.
Steps#
Step 1:
Let's take a close took at one of the attack transactions executed by the exploiter.
Step 2:
This attacker-controlled address initially borrowed 5,673,090 $USDC from Balancer, and deposited them to roeUSDC pool.
Step 3:
The same address borrowed 2,953,841,283 UNI-V2 from the pool, while leaving debt to the contract creator, and then proceeded to deposit the borrowed tokens to the pool.
Step 4:
After repeating the previous step roughly 49 times, the contract address burnt 0.295 UNI-V2 and earned 2.96 $WBTC and 51,661 $USDC in return.
Step 5:
They then gave 26,024 USDC to UNI-V2 and invoked the Uniswap V2 sync function. This manipulated the price of the UNI-V2 obtained from the oracle.
Step 6:
Then, they borrowed back 5,673,090 $USDC that had been put into the roeUSDC pool earlier, swapped about 0.66 $WBTC for 14,345 $USDC, and repaid the $USDC back to Balancer.
Step 7:
The profit from these were 2.29 $WBTC and 39,982 $USDC, roughly amounting to $80,000.
Aftermath#
At the time of writing, the team had not acknowledged the occurrence of the incident.
Solution#
Attacks of such nature leading to oracle price manipulation can also be regulated to a greater extent using data providers like ChainLink.
We may not have prevented the occurrence of this hack, however the impact or aftermath of this attack could have been significantly reduced if Roe Finance had a dedicated cover pool in the Neptune Mutual marketplace. We generally exclude the events originating from price manipulation attacks, however we offer coverage to users who have suffered a loss of funds or digital assets occurring as a result of smart contract vulnerabilities owing to our parametric policies.
Users who purchase our parametric cover policy do not need to provide loss evidence in order to receive payouts. Payouts can be claimed as soon as an incident like this is resolved through our governance system.
Neptune Mutual's security team would also have evaluated the platform for DNS and web-based security, frontend and backend security, intrusion detection and prevention, and other security considerations.
Reference Source BlockSec
