DESCRIPTION OF EVENTS
"FEI is a new kind of stablecoin. It is more capital efficient, has a fair distribution, and is fully decentralized." "When the price increases, newly minted FEI can be purchased for ETH, which is scrowed in the protocol bonding curve. Then this ETH was deposited by a keeper in the ETH-FEI Uniswap pair. An attacker could take a flash loan to drive up the ETH-FEI spot price in Uniswap, purchase FEI from the bonding curve, trigger the ETH deposit as liquidity in Uniswap, and finally sell the FEI received at an elevated price."
"When the price of FEI is over $1.01, users can purchase newly minted FEI from the protocol’s bonding curve for ETH to arbitrage the secondary market price down towards $1. This ETH is escrowed in the bonding curve until a keeper allocates it, at which point it is deposited into the ETH-FEI pair at the spot price."
"On May 2, during an internal code review, we identified a critical vulnerability that could have removed ETH from the Protocol Controlled Value. The attack involved manipulating the spot price on the FEI-ETH Uniswap pair, before providing liquidity through the bonding curve. After validating a Proof of Concept (PoC) attack, we immediately paused the bonding curve, which prevented the exploit from being possible, and notified our community publicly on Discord. The following day, we received a report from Immunefi where Alexander Schlindwein had also independently discovered the exploit." "Manipulation of the spot price with a flash loan is the primary vector of the attack."
Steps to reproduce: "(1) Flash borrow ETH. (2) Buy on spot market. (3) Buy on bonding curve and execute bonding curve allocation. (4) Sell FEI from 2 and 3. (5) Profit." "The end result is the spot price of FEI/ETH is lower than at the beginning, essentially arbing by spiking the price of FEI since it uses the spot price when depositing."
"The vulnerability was not exploited and no funds were lost."
"After the fix, the ETH from the bonding curve is sent to the reserve stabilizer rather than the ETH-FEI Uniswap pool. And it won’t mint any liquidity at a price significantly different from the oracle price of ETH." "The solution has 2 parts: (1) Deposit at oracle price not spot price. (2) Restrict allocate() and other potentially risky flows to EOA only."
"OpenZeppelin and Alexander further assisted with the review and validation of the fix. The fix removes the attack vector by sending ETH from the bonding curve to the reserve stabilizer rather than the ETH-FEI Uniswap pool. It also adds additional checks on the pool to ensure that if more funds are added to the pair in the future, it is protected from malicious arbitrage."
The FEI protocol had a "bonding curve" which provided liquidity for the stablecoin. These funds were stored in a smart contract hot wallet.
An exploit was found which would have allowed a malicious actor to drain the stored funds by manipulating the price with a flash loan.
The exploit was corrected without any loss of user funds.
HOW COULD THIS HAVE BEEN PREVENTED?
There was no loss of user funds.
In general, storage in a smart contract is not as secure as a simpler form of offline multi-sig.
List of Ethereum Smart Contracts Post-Mortems - Security - OpenZeppelin Community (Jun 23)
Fei Bonding Curve Bug Post Mortem (Jun 22)
Fei Protocol Flashloan Vulnerability Postmortem (Jun 22)
FEI Post Mortem – OpenZeppelin blog (Jun 22)
Pre release fix flash attacks by Joeysantoro · Pull Request #81 · fei-protocol/fei-protocol-core · GitHub (Jul 28)
Fei Protocol (Jul 28)