TL;DR#
On June 10, 2023, Atlantis Loans was the target of a governance attack, which resulted in a loss of funds worth over $1.15 million.
Introduction to Atlantis Loans#
Atlantis Loans is a DeFi lending protocol on the BNB chain.
Vulnerability Assessment#
The exploiter was able to set themselves up as the administrator of the token's proxy contract, thus gaining control over and manipulating its functionalities.
Steps#
Step 1:
We attempted to analyse one of the attack transactions executed by the exploiter.
Step 2:
The attacker earlier created a malicious governance proposal in the GovernorBravo contract on June 7, 2023, by setting the admin of multiple ABep20Delegator contracts as malicious contracts, which effectively voted to pass the proposal.
Step 3:
The attacker can execute the proposal after the time lock expires because the GovernorBravo contract only considers the unlock time via the ETA parameter when adding the proposal to the queue.
Step 4:
The malicious contract was set up as a proxy contract admin for all tokens after a lockup period of 172,800 seconds, and the exploiter then altered the ABep20Delegate implementation address to the contract containing the backdoor function.
Step 5:
This modified implementation to include the backdoor allowed them to transfer the assets of the users who had authorized and interacted with the protocol.
Step 6:
At the time of this writing, this address controlled by the attacker holds approximately $1,159,805 worth of funds.
Step 7:
The exploiter had also submitted the same malicious proposal with ID 49 on April 12, 2023, but it did not pass the quorum.
Solution#
DeFi attacks such as this one against Atlantis Loans underline the necessity for consistent vigilance and proactivity within the blockchain space. Users could have minimized their potential losses by revoking their permissions for the now-defunct Atlantis Loans contracts. However, an even stronger level of protection can be achieved by integrating several risk management strategies.
In the unfortunate event of such an attack, having a dedicated cover pool set up with Neptune Mutual could have appreciably diminished the financial impacts for the Atlantis Loans team and its users. Neptune Mutual offers coverage to users who have encountered losses of funds or digital assets due to smart contract vulnerabilities, leveraging their unique parametric policies.
When users opt for Neptune Mutual's parametric cover policies, they are safeguarded against the financial aftermath of such vulnerabilities. These policies do not require policyholders to provide evidence of their losses in order to receive payouts. Rather, payouts can be claimed as soon as an incident has been confirmed and resolved through Neptune Mutual's comprehensive incident resolution system.
Furthermore, Neptune Mutual's marketplace operates on Ethereum and Arbitrum, two of the most popular blockchain networks, ensuring its solutions are readily accessible for a broad range of DeFi projects.
In addition, Neptune Mutual's security team provides an array of cybersecurity evaluation services. These include assessments for DNS and web-based security, frontend and backend security, as well as intrusion detection and prevention mechanisms. These evaluations can highlight potential vulnerabilities and weak points, offering teams like Atlantis Loans invaluable insights into how they can further fortify their platforms.
Reference Source Numen
