QUADRIGA INITIATIVE
CRYPTO WATCHDOG & FRAUD RECOVERY PLATFORM
A COMMUNITY-BASED, NOT-FOR-PROFIT
$635 000 USD
JUNE 2021
GLOBAL
MUSHROOM FINANCE
DESCRIPTION OF EVENTS

"Mushrooms Finance smart contracts out of inspiration from popular DeFi projects like Yearn Finance (YFI) Pickle Finance and Sushiswap among others. This project is fairly new (Oct 2020), but are picking up steam quickly. As a DeFi project, Mushrooms Finance deploys a fair-launch fashion from day1 to distribute the governance token (MM) among all its contributors: builder, liquidity provider, community..etc. Mushrooms Finance has integrated the ETH-USD Chainlink Price Feed, Mushrooms' smart contracts have a secure, fair-market price reference when checking the collateralization of its Maker CDPs(collateralized debt position). If collateralization is found to be below a certain threshold, then Mushrooms' smart contracts can execute actions to avoid user funds from being liquidated."
"Mushrooms Finance is a crypto-earning vault with a focus on seeking sustainable profit in the DeFi universe. The first version of the Mushrooms Finance smart contracts were inspired by other popular DeFi projects like Yearn Finance (YFI) and Sushiswap, among many others." "Mushrooms Finance Vaults help users earn passive profit on crypto assets like WETH, WBTC, DAI, USDC, and many more. The earning strategies associated with the Vaults will automate user yield farming on Alchemix or Curve by auto-compounding the profit. Vaults earn in the denomination of whatever token users deposited. Users will then receive mTokens upon Vault deposit which represent their share in that Vault. When users withdraw from the Vault, the mToken share allows users to withdraw both the principal plus any earned profit over the deposit period."
"CoinFabrik was asked to audit the contracts for the Mushroom project." Dedaub was also commissioned to perform a security audit. "Mushrooms Finance has a Bug Bounty program to encourage security white-hat hacker/developer to spend time studying our code in order to uncover vulnerabilities. We believe they should get fairly awarded for their time and effort and acknowledged for the remarkable contributions to entire community."
"Whitehat CKK Sec, who is a recipient of Immunefi’s Whitehat Scholarship, disclosed a critical vulnerability in Mushrooms Finance to Immunefi on June 8 that consisted of a logic error, leading to a flash loan attack vector that could have resulted in the loss of 19 wBTC, which at market rate at the time of the report comes out to $635,000."
"The vulnerability exists as a result of the interaction between two contracts in Mushrooms Finance: StrategyCmpdWbtcV1 (Strategy) and the MMVault (Vault). The Strategy contract has a flashloan function, mushroomsFlashloan(), that can be called by any user, which liquidates the held wBTC cTokens from Compound and supplies that wBTC to the Vault. This is obviously erroneous due to its original purpose for MMVault callback only. What this means is that an attacker can flashloan from the Vault and repay it via a vulnerable function present in Strategy. However, the vulnerability is not only possible because of that. The vulnerable mushroomsFlashloan() consists of a check that verifies if the Strategy contract has enough balance to even complete the flashloan taken from MMVault."
"This check can be bypassed due to the attacker being able to not only define the amount (_amount) but also the fee paid with the flashloan (_fee). The reason behind this is, that the vulnerable flashloan function was not intended to be callable by anyone, but instead to be called by the Vault only when the Vault’s flashloan is called. With the additional _fee-parameter the attacker could have bypassed several checks (which could make the attack more troublesome), and it would result in the Strategy-contract to withdraw wBTC from Compound which it supplied before."
"After receiving the report, Mushrooms Finance paused the contracts and is paying the whitehat a bounty of $60,000 for his find, $18,000 of which went to the Immunefi Whitehat Scholarship. The scholarship helps budding security researchers get a chance to take time off from full-time work, so they can hunt for bugs full-time. While the bounty is listed at $50,000 for critical bugs, Mushrooms Finance is paying $10,000 above that amount in recognition of the size of funds at risk. We thank Mushrooms Finance for their generosity and for taking security and responsibility seriously."
Subsequently, Mushroom Finance underwent a further audit by Peckshield.
Despite two audits, Mushroom Finance still had a smart contract logic error which could have allowed a malicious actor to steal some of the fund.
The error was corrected without being exploited and a bug bounty was paid. The smart contract has subsequently been audited a third time.
HOW COULD THIS HAVE BEEN PREVENTED?
Mushrooms (Jul 28)
Mushrooms Finance Bug Bounties | Immunefi (Jul 28)
deployment/security.md at main · mushroomsforest/deployment · GitHub (Jul 28)
publications/peckshield-audit-report-btdotfinance-v1.0.pdf at master · peckshield/publications · GitHub (May 19)
deployment/Mushrooms Finance audit-dedaub.pdf at main · mushroomsforest/deployment · GitHub (Jul 28)
Mushrooms Finance Logic Error Bug Fix Postmortem (Jul 28)
$MM - Mushrooms.finance ($2.6mil market cap) : CryptoMoonShots (Jul 28)
@immunefi Twitter (Jul 28)
No Title (Jul 24)
