QUADRIGA INITIATIVE
CRYPTO WATCHDOG & FRAUD RECOVERY PLATFORM
A COMMUNITY-BASED, NOT-FOR-PROFIT
$0 USD
JANUARY 2021
GLOBAL
ARMOR FINANCE
DESCRIPTION OF EVENTS
"Armor is a decentralized brokerage for cover underwritten by Nexus Mutual's blockchain-based insurance alternative." "ArmorFi provides insurance for DeFi protocols. When withdrawing the amount agreed by the coverage policy, the amount returned is in wei but was treated as ether by mistake, converting it to wei again and returning 10^18 times more wei than it should."
"Alexander Schlindwein @bobface16, CTO of Idea Markets, found a critical bug before it went fully live!" "On January 30, Alexander Schlindwein, CTO of Ideamarkets, submitted a critical bug to Immunefi for ArmorFi’s smart contract code. Armor, which had joined the Immunefi platform about a week prior, had just upgraded the size of its bug bounty to 1,000,000 mostly vested $ARMOR tokens, and the upgrade was too tempting to ignore." "[T]he bounty went from about $23,000 USD to $700,000 USD, and within about a day, a critical vuln landed in our inbox."
"The way this vulnerability works is relatively simple: some user with coverage makes a claim against a coverage pool in Armor, presumably after suffering some sort of event covered by the policy. However, rather than withdrawing the amount of the policy, the exploit allows them to get 10^18 as much as they purchased. A single dollar worth of coverage could have enabled a malicious attacker to withdraw far more assets than available. In ClaimManager.sol, line 62 uint256 payment = _amount * 10 ** 18; should not have been present in the contract."
"We just got off the phone with @ArmorFi, and they're raising their critical bug bounty to $600,000, which means that it's **the largest smart** contract bounty."
"The bug (which would have affected successful claim payouts) was immediately fixed and did not affect any staked assets." "It is important to be generous with bug bounties and to appreciate whitehats who help you keep users safe. Safety must come before every other goal."
"This successful disclosure is an excellent proof of concept of how bug bounties can function in the smart contract space. Moreover, it achieved three important objectives. First, it solved a critical vulnerability that stood a good chance of being exploited on some timeline. Second, Armor has the opportunity to review its code and security processes more closely. And third, the community reacted overwhelmingly positive to Armor taking security seriously with its bug bounty program and successful payout. As of publication, the current value of the bounty is $876,000 USD."
"The system is working as intended and will continue to do so."
Armor Finance launched a smart contract which allowed participants to withdraw significantly more funds than they deposited.
This error was caught a white hacker who was generously compensated.
HOW COULD THIS HAVE BEEN PREVENTED?
List of Ethereum Smart Contracts Post-Mortems - Security - OpenZeppelin Community (Jun 23)
@ArmorFi Twitter (Jun 22)
Armorfi Bug Bounty Postmortem (Jun 22)
Armor.Fi (Jul 29)
