TL;DR#
On January 11, 2023, Roe Finance was exploited using a price manipulation attack, causing a loss of $80,000.
Introduction to Roe Finance#
Roe Finance is a non-custodial liquidity markets protocol built on top of AAVE. It is based on the largest derivative opportunity embedded in Uniswap and tries to solve the impermanent loss for liquidity providers.
Vulnerability Assessment#
The root cause of the vulnerability is due to the limited liquidity of the pool, which led to the manipulation of the price oracle.
Steps#
Step 1:
Let's take a close took at one of the attack transactions executed by the exploiter.
Step 2:
This attacker-controlled address initially borrowed 5,673,090 $USDC from Balancer, and deposited them to roeUSDC pool.
Step 3:
The same address borrowed 2,953,841,283 UNI-V2 from the pool, while leaving debt to the contract creator, and then proceeded to deposit the borrowed tokens to the pool.
Step 4:
After repeating the previous step roughly 49 times, the contract address burnt 0.295 UNI-V2 and earned 2.96 $WBTC and 51,661 $USDC in return.
Step 5:
They then gave 26,024 USDC to UNI-V2 and invoked the Uniswap V2 sync function. This manipulated the price of the UNI-V2 obtained from the oracle.
Step 6:
Then, they borrowed back 5,673,090 $USDC that had been put into the roeUSDC pool earlier, swapped about 0.66 $WBTC for 14,345 $USDC, and repaid the $USDC back to Balancer.
Step 7:
The profit from these were 2.29 $WBTC and 39,982 $USDC, roughly amounting to $80,000.
Aftermath#
At the time of writing, the team had not acknowledged the occurrence of the incident.
Solution#
Roe Finance encountered an unfortunate incident when a price manipulation attack exploited vulnerabilities within their system, resulting in a significant loss of $80,000. The vulnerability stemmed from the limited liquidity of the pool, which paved the way for the manipulation of the price oracle, leading to substantial financial losses for the platform.
In terms of a solution, while the attack method may have been difficult to predict, the importance of data providers like ChainLink in regulating Oracle price manipulations becomes evident. Strengthening oracle mechanisms can help reduce the likelihood of such attacks in the future.
In an effort to alleviate the aftermath and potential impact of such attacks, Neptune Mutual emerges as a crucial asset. Although we may not have prevented the hack itself, having a dedicated cover pool within the Neptune Mutual marketplace could have significantly mitigated the resulting losses for Roe Finance. Our parametric policies empower users who experience losses due to smart contract vulnerabilities to claim payouts without the cumbersome requirement of exhaustive loss evidence, enabling swift recovery once incidents are resolved through our governance system.
Neptune Mutual's commitment to security also involves a comprehensive evaluation of the platform, encompassing DNS and web-based security, frontend and backend security, intrusion detection and prevention, and other vital security considerations.
Reference Source BlockSec
