QUADRIGA INITIATIVE
CRYPTO WATCHDOG & FRAUD RECOVERY PLATFORM
A COMMUNITY-BASED, NOT-FOR-PROFIT
$50 000 USD
JANUARY 2025
GLOBAL
ODOS PROTOCOL
DESCRIPTION OF EVENTS
Odos Protocol is a decentralized finance (DeFi) platform designed to optimize trading by providing smarter, more efficient solutions. It offers seamless token swaps, flexible strategies like limit orders, and advanced customization options for traders. Odos uses sophisticated routing algorithms to maximize token output by sourcing liquidity from hundreds of sources, minimizing fees, and offering better rates. It supports a wide range of tokens, including blue-chip and niche assets, and simplifies complex processes like market arbitrage and multi-token transactions. Odos also provides powerful APIs for developers to integrate advanced token swaps and liquidity aggregation into their platforms.
Odos Protocol uses a proprietary Smart Order Routing (SOR) algorithm to aggregate decentralized exchanges (DEX) and find optimal routes for cryptocurrency token swaps. As the number of DEXs and liquidity sources grows, Odos efficiently navigates complex, non-linear paths to deliver the best exchange rates across multiple blockchains. Unique to Odos is its multi-token input feature, which allows users to swap multiple tokens in a single transaction. The platform is developed by Semiotic Labs, a team focused on AI, cryptography, and Web3 optimization, with expertise in The Graph protocol and autonomous decision-making technologies.
The attack was made possible by an arbitrary call vulnerability due to insufficient input validation within the contract’s logic. This allowed the attacker to bypass signature verification mechanisms and execute malicious transactions. The attacker deployed a malicious contract and exploited the victim contract to manipulate the system, draining funds from Odos' contracts.
The root cause of the exploit was insufficient validation of user inputs, improper handling of contract functionalities, and an unchecked use of precompile contracts. To prevent such exploits, it was recommended that Odos implement better input validation, enhance signature verification, and introduce reentrancy guards to limit interactions with external contracts. Post-attack, Odos took swift action to address the issue. QuillAudits, a renowned audit firm, emphasized the importance of rigorous security audits to prevent such vulnerabilities and safeguard projects in the Web3 space.
The attack was caused by an arbitrary call vulnerability, where unverified user input was combined with a pre-compiled contract to bypass the signature check. The attacker used the pre-compiled 0x4 Identity contract to bypass the signature check and successfully steal tokens. The exploit occurred because the contract’s signature validation mechanism could be bypassed using this pre-compiled contract, which allowed the attacker to execute malicious transactions without triggering the usual security checks.
Losses were estimated by SlowMist at $100,000.
According to QuillAudits, a "series of coordinated attacks resulted in a cumulative loss of approximately $50,000."
"TL;DR: All user funds are safe. The exploit has been addressed, and no action is needed from users. Your trust and security remain our top priorities."
"Today we discovered a malicious attack on our Limit Order contracts. It’s important to highlight that no user funds were compromised during this attack and the exploit has been resolved."
"The attack exploited a vulnerability in our audited executor contract, accessing revenue stored within the contract but not any user funds."
"We’ve worked with our auditing partners to re-verify the updated contracts and deployed them along with new routers to eliminate the exploit."
"We’re deeply grateful for the trust you’ve placed in Odos and remain committed to transparency, security, and user protection."
On January 23, 2025, a vulnerability in Odos Protocol’s OdosLimitOrderRouter contract was exploited, resulting in the theft of around $50,000 on Ethereum and Base. The attacker exploited an arbitrary call vulnerability, where unverified user input was combined with a pre-compiled 0x4 Identity contract to bypass the signature validation mechanism and steal tokens. The incident emphasizes the need for thorough security audits, not just for initial versions, but for any new features added to prevent similar vulnerabilities in the future. No user funds were lost. All funds lost were platform profits.
HOW COULD THIS HAVE BEEN PREVENTED?
The incident underscores the importance of validating all user inputs and being cautious with external contract calls, especially when using pre-compiled contracts or handling contract code lengths. The attack highlights the risks of not properly verifying signature checks, especially when using complex contract functionalities like ERC-6492. It is advised that protocols using such features undergo thorough security audits, not only for initial releases but also for any new features added, to avoid introducing similar vulnerabilities.
Odos Protocol - "All user funds are safe. The exploit has been addressed, and no action is needed from users. Your trust and security remain our top priorities." - Twitter/X (Mar 12)
Odos Protocol Linktree (Mar 12)
Odos Protocol Homepage (Mar 12)
Odos Protocol About Section (Mar 12)
What Went Wrong With Odos Protocol? - Quill Audits (Mar 12)
The Malicious Base Transaction - Blocksec (Mar 12)
Limit Orders - Odos - Halborn Audit (Mar 12)
ERC-6492 Deployment Vulnerability: Leveraging isValidSignature Bypass via Pre-compiled contract - VeriChains (Mar 12)
