$429 000 USD

AUGUST 2021

GLOBAL

DOT FINANCE

DESCRIPTION OF EVENTS

"DeFi Aggregator for the Polkadot Ecosystem. Maximize your returns with innovative yield optimization strategies." "Dot.Finance was developed to spur Polkadot’s growth trajectory by reducing barriers to participation while maximizing the performance and efficiency of assets and tokens that are deployed to different DeFi products."

 

"Dot.Finance is designed to bring DeFi to a wide range of users and will help increase user exposure to the many benefits of the Polkadot ecosystem. This will help grow adoption of not just the Polkadot framework but the many new DeFi products and services that Dot.Finance is building on top of Polkadot’s safe, secure, and resilient architecture."

 

"To use Dot.Finance farms you must have the farm's LP (liquidity Pool) token from PancakeSwap (PCS) - also known as "Flip" tokens. To get LP tokens you must provide liquidity for it's pool on PCS with it's underlying tokens. e.g. for the DOT-BNB LP token, you need DOT and BNB tokens."

 

"Starting from Aug 25, 2021, 09:06:30 AM UTC," "Dot Finance, the DeFi protocol on the BSC chain, was attacked by flash loans."

 

"The ultimate goal behind these attacks is to manipulate profit used by performanceFee for calculating the minting amount. We can trace back this attack chain simply by looking at mintFor functions." "amountPinkToMint() function takes contribution which is calculated from the value of asset and _performanceFee. The manipulated profit can be clearly seen by debugging function calls associated with the transaction."

 

Attack process: "(1) Hackers use PancakeSwap flash loan to obtain initial funds of 100 Cake tokens. (2) By inserting Cake tokens into the VaultPinkBNB contract, the getReward function can be used to obtain the real value of the Cake tokens of the contract. At the same time, the performanceFee parameter is greatly affected by the real value of Cake tokens. (3) Finally, the mintFor function uses the affected performanceFee parameters to mint a large amount of pink tokens to reward hackers."

 

"We suspect that this flaw might be inherited by forking other platform codes without properly eradicating or remediating the root cause. With the condition that the TVL of the affected pool must be very low, an attacker has to act fast to initiate a profitable attack."

 

"[I]ts value dropped by nearly 35%."

Dot Finance offers an innovative yield farm. Despite two audits, their smart contract still suffered from a minting vulnerability. Their platform token dropped in value as the additional tokens were sold. There is no mention of the breach on their social media or website. It's unclear if anything was done to address it.

HOW COULD THIS HAVE BEEN PREVENTED?

Complex smart contracts can generally not be considered secure, however one method of mitigation might be to ensure that the minting always involves a multi-sig of trusted team members. To reduce burdens, tokens can get minted only with multi-sig approval, and sit in the smart contract hot wallet, from which they are distributed. This prevents additional minting and provides an upper cap to the possible breach.

 

Typical methods of dealing with a breach are to launch a second token and provide it to the original affected users based on what they had prior to the breach. This requires special care for situations where tokens were bought or sold after the breach.

 

Check Our Framework For Safe Secure Exchange Platforms

Sources And Further Reading

 For questions or enquiries, email info@quadrigainitiative.com.

Get Social

  • email
  • reddit
  • telegram
  • Twitter

© 2021 Quadriga Initiative. Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected Users. Hosted in Canada by HosterBox.