QUADRIGA INITIATIVE
CRYPTO WATCHDOG & FRAUD RECOVERY PLATFORM
A COMMUNITY-BASED, NOT-FOR-PROFIT
$429 000 USD
AUGUST 2021
GLOBAL
DOT FINANCE
DESCRIPTION OF EVENTS
"DeFi Aggregator for the Polkadot Ecosystem. Maximize your returns with innovative yield optimization strategies." "Dot.Finance was developed to spur Polkadot’s growth trajectory by reducing barriers to participation while maximizing the performance and efficiency of assets and tokens that are deployed to different DeFi products."
"Dot.Finance is designed to bring DeFi to a wide range of users and will help increase user exposure to the many benefits of the Polkadot ecosystem. This will help grow adoption of not just the Polkadot framework but the many new DeFi products and services that Dot.Finance is building on top of Polkadot’s safe, secure, and resilient architecture."
"To use Dot.Finance farms you must have the farm's LP (liquidity Pool) token from PancakeSwap (PCS) - also known as "Flip" tokens. To get LP tokens you must provide liquidity for it's pool on PCS with it's underlying tokens. e.g. for the DOT-BNB LP token, you need DOT and BNB tokens."
"Starting from Aug 25, 2021, 09:06:30 AM UTC," "Dot Finance, the DeFi protocol on the BSC chain, was attacked by flash loans."
"The ultimate goal behind these attacks is to manipulate profit used by performanceFee for calculating the minting amount. We can trace back this attack chain simply by looking at mintFor functions." "amountPinkToMint() function takes contribution which is calculated from the value of asset and _performanceFee. The manipulated profit can be clearly seen by debugging function calls associated with the transaction."
Attack process: "(1) Hackers use PancakeSwap flash loan to obtain initial funds of 100 Cake tokens. (2) By inserting Cake tokens into the VaultPinkBNB contract, the getReward function can be used to obtain the real value of the Cake tokens of the contract. At the same time, the performanceFee parameter is greatly affected by the real value of Cake tokens. (3) Finally, the mintFor function uses the affected performanceFee parameters to mint a large amount of pink tokens to reward hackers."
"We suspect that this flaw might be inherited by forking other platform codes without properly eradicating or remediating the root cause. With the condition that the TVL of the affected pool must be very low, an attacker has to act fast to initiate a profitable attack."
"[I]ts value dropped by nearly 35%."
Dot Finance offers an innovative yield farm. Despite two audits, their smart contract still suffered from a minting vulnerability. Their platform token dropped in value as the additional tokens were sold. There is no mention of the breach on their social media or website. It's unclear if anything was done to address it.
HOW COULD THIS HAVE BEEN PREVENTED?
Complex smart contracts can generally not be considered secure, however one method of mitigation might be to ensure that the minting always involves a multi-sig of trusted team members. To reduce burdens, tokens can get minted only with multi-sig approval, and sit in the smart contract hot wallet, from which they are distributed. This prevents additional minting and provides an upper cap to the possible breach.
Typical methods of dealing with a breach are to launch a second token and provide it to the original affected users based on what they had prior to the breach. This requires special care for situations where tokens were bought or sold after the breach.
blocksec-incidents/2021.md at main · openblocksec/blocksec-incidents · GitHub (Aug 11)
https://medium.com/@Knownsec_Blockchain_Lab/knowsec-blockchain-lab-dot-finance-flash-loan-security-incident-analysis-98f7b5707a15 (Sep 19)
Collection Of Insecure Ways For Mint Amount Calculation Dot Finance Incident Analysis (Sep 19)
Address 0xDFD78a977c08221822F6699AD933869Da6d9720C | BscScan (Oct 7)
Contract Address 0x33f9bB37d60Fa6424230e6Cf11b2d47Db424C879 | BscScan (Oct 7)
Binance Transaction Hash (Txhash) Details | BscScan (Oct 7)
Contract Address 0xfc3920bcffb412e2686e76c194cd8935bd651a90 | BscScan (Oct 7)
Dot Finance | Experience the future of DeFi (Oct 7)
https://firebasestorage.googleapis.com/v0/b/gitbook-28427.appspot.com/o/assets%2F-M_CaMTpZw2UU5MkRroL%2F-MkmjS4unVTrNdyKejYh%2F-MkmkrxKRXI2J2DEVzvT%2FDOTFinance%20SC%20Audit%20-%20Hacken.pdf?alt=media&token=19fb215c-d8a2-496b-893c-ceea2206f903 (Oct 7)
https://docs.dot.finance/ (Oct 7)
https://docs.dot.finance/guides/how-to-guide (Oct 7)
