TL;DR#
On July 8, 2023, an old contract belonging to Civilization was exploited, resulting in a loss of 96.7 ETH, worth approximately $179,000.
Introduction to Civilization#
Civilization is the decentralized cryptocurrency investment fund.
Vulnerability Assessment#
The root cause of the exploit is due to a vulnerability in the approval function for creating limit orders on Uniswap.
Steps#
Step 1:
We attempt to analyze one of the attack transactions executed by the exploiter.
Step 2:
The exploiter used approvals on the vulnerable contract to manipulate a callback function, sending funds directly to the Uniswap pools for sell orders.
Step 3:
Thus, tokens such as CIV and USDC approved for CIVNFT were stolen and sent to the attacker.
Step 4:
The exploited funds, totaling approximately 96.7 ETH, were sent to this address and then laundered to Tornado Cash.
Aftermath#
Following the exploit, the team acknowledged the occurrence of the incident and stated that the CivTrade contract had been put on hold. Neither the contract nor the users' wallets were breached, but the hacker was only able to exploit approvals to the contract to hack a callback function that sends funds directly to uniswap pools for creating sell orders.
Solution#
As part of the Neptune Mutual team, we believe this situation reemphasizes the importance of security measures and protective protocols in the DeFi space. Our first recommendation is regular and comprehensive audits for all smart contracts. Although Civilization had some security measures in place, it appears they were insufficient to prevent this incident.
Secondly, users should always exercise caution when granting approvals to contracts. The attacker in this case was able to exploit these approvals to their advantage, ultimately leading to the loss of 96.7 ETH.
The incident also underscores the value of DeFi insurance in reducing the impact of such attacks. Had the Civilization team set up a dedicated cover pool in the Neptune Mutual marketplace, the damage inflicted on its users could have been significantly mitigated.
Neptune Mutual provides coverage for losses stemming from exploits such as this, shielding users from the fallout of smart contract vulnerabilities. If the affected users had Neptune Mutual's parametric coverage in place, they could have claimed their losses quickly and efficiently without the need for loss evidence, thanks to our expedited claims system post-incident resolution.
Our marketplace is available on multiple popular blockchain networks, including Ethereum, Arbitrum, and the BNB chain. This broad reach allows us to serve a diverse array of DeFi users, offering them protection from potential vulnerabilities and bolstering their confidence in the ecosystem.
But Neptune Mutual goes beyond providing coverage. We also conduct evaluations of platforms for web-based security, DNS, frontend and backend security, intrusion detection, and prevention, amongst others. This holistic approach ensures our users are safeguarded from multiple fronts, thereby fostering an enhanced level of trust within the DeFi ecosystem.
Reference Source Beosin
