$4 000 USD
DESCRIPTION OF EVENTS
"Mushrooms Finance smart contracts out of inspiration from popular DeFi projects like Yearn Finance (YFI) Pickle Finance and Sushiswap among others. This project is fairly new (Oct 2020), but are picking up steam quickly. As a DeFi project, Mushrooms Finance deploys a fair-launch fashion from day1 to distribute the governance token (MM) among all its contributors: builder, liquidity provider, community..etc. Mushrooms Finance has integrated the ETH-USD Chainlink Price Feed, Mushrooms' smart contracts have a secure, fair-market price reference when checking the collateralization of its Maker CDPs(collateralized debt position). If collateralization is found to be below a certain threshold, then Mushrooms' smart contracts can execute actions to avoid user funds from being liquidated."
"Mushrooms Finance is a crypto-earning vault with a focus on seeking sustainable profit in the DeFi universe. The first version of the Mushrooms Finance smart contracts were inspired by other popular DeFi projects like Yearn Finance (YFI) and Sushiswap, among many others." "Mushrooms Finance Vaults help users earn passive profit on crypto assets like WETH, WBTC, DAI, USDC, and many more. The earning strategies associated with the Vaults will automate user yield farming on Alchemix or Curve by auto-compounding the profit. Vaults earn in the denomination of whatever token users deposited. Users will then receive mTokens upon Vault deposit which represent their share in that Vault. When users withdraw from the Vault, the mToken share allows users to withdraw both the principal plus any earned profit over the deposit period."
"CoinFabrik was asked to audit the contracts for the Mushroom project." Dedaub was also commissioned to perform a security audit. "Mushrooms Finance has a Bug Bounty program to encourage security white-hat hacker/developer to spend time studying our code in order to uncover vulnerabilities. We believe they should get fairly awarded for their time and effort and acknowledged for the remarkable contributions to entire community."
"Before [a] harvest transaction occurs, it can be sandwiched to manipulate the Uniswap price before, and return it afterwards, earning a portion of the Mushroom harvest." "This particular vulnerability was an MEV searcher sandwich attack made easier by the existence of flash bots."
"Whitehat Wen-Ding Li reported a vulnerability in Mushrooms Finance classified as “high” to Immunefi on April 27. The vulnerability was a theft of yield, but the attack was not a flash loan. Rather, the attack was an MEV (miner-extractable value) attack with flash bots, which is similar but distinct from a flash loan."
"Regrettably, the vulnerability was exploited twice (block 12312954 (~0.0345 eth) and block 12319752 (~0.0504 ETH)) prior to Wen-Ding Li’s report, leading to a loss of ~$222 in total. Mushrooms Finance has since patched the vulnerability. If this attack had not been mitigated swiftly by Mushrooms, it would have been repeatable."
"The harvest transaction is now being run more frequently, to make it unprofitable to pay miners for including the sandwich transactions." "Mushrooms Finance has configured its keep3r to run harvests more frequently, as merely adding permission requirements on the harvest function and adding EOA requirements are insufficient. Keeping harvests small but frequent makes it economically unprofitable for MEV searchers to perform this attack because the size of the swap required to distort the Uniswap pool incurs more swap fee than the profit from the harvest."
"Mushrooms Finance has paid a bounty of $4,000 USDC to whitehat Wen-Ding Li for the report." Subsequently, Mushroom Finance underwent a further audit by Peckshield.
Despite two audits, Mushroom Finance still had a smart contract error which allowed a malicious actor to steal some of the yield. This did not appear to take any user funds, but rather reduced the profitability slightly.
The error was corrected with minimal exploit and a bug bounty paid.
HOW COULD THIS HAVE BEEN PREVENTED?
No user funds were lost in this case.
List of Ethereum Smart Contracts Post-Mortems - Security - OpenZeppelin Community (Jun 23)
Mushrooms Finance Theft Of Yield Bug Fix Postmortem (Jun 22)
Mushrooms (Jul 28)
Mushrooms Finance Bug Bounties | Immunefi (Jul 28)
Mushroom Finance Smart Contract Audit - CoinFabrik Blog (Jul 28)
deployment/security.md at main · mushroomsforest/deployment · GitHub (Jul 28)
publications/peckshield-audit-report-btdotfinance-v1.0.pdf at master · peckshield/publications · GitHub (May 19)
deployment/Mushrooms Finance audit-dedaub.pdf at main · mushroomsforest/deployment · GitHub (Jul 28)
$MM - Mushrooms.finance ($2.6mil market cap) : CryptoMoonShots (Jul 28)