QUADRIGA INITIATIVE
CRYPTO WATCHDOG & FRAUD RECOVERY PLATFORM
A COMMUNITY-BASED, NOT-FOR-PROFIT
$3 500 000 USD
SEPTEMBER 2021
GLOBAL
SIREN MARKET
DESCRIPTION OF EVENTS
"SIREN Markets is a flexible, decentralized protocol for sophisticated investors to trade cryptocurrency options." "Siren Markets (‘SIREN’) is focused on the creation of a high-quality, seamless experience for sophisticated users to purchase, trade, and redeem options without the use of a third-party mechanism or order matching to complete settlement on-chain." "Actively trade tokenized options contracts and match your portfolio to market trends." "Earn options premiums on your favorite altcoins by lending them to SIREN liquidity pools." "Powerful liquidity & options trading solutions for DeFi Projects."
"Options are a powerful financial primitive, a building block from which many complex constructions can be formed and high levels of flexibility achieved. SIREN enables DeFi users to make use of options to hedge, speculate, and generate passive income streams."
"SIREN achieves and occupies a unique market niche through several novel implementations. SIREN has tokenized both sides of an option contract through the process of Bilateral Tokenization, allowing for elements of an options ecosystem that can be traded as easily as a standard ERC-1155 token."
"Additionally, SIREN has separated the automated market making (AMM) layer from the settlement layer, allowing for continuous modification to the design of market making, pool administration, and pricing as the trading volume and liquidity of the SIREN platform grow over time. This paradigm allows a strategy that serves SIREN in early stages of limited markets and liquidity to transform and iterate as growth takes place and the protocol exceeds such limitations."
"An audit was performed on the SIRENv2 code, including the affected contract, and the code was specifically analyzed for reentrancy attacks."
"On 3 September 2021 at around 12:17 AM UTC several SIREN AMM pools were exploited via a reentrancy attack." "[A] series of transactions were executed by the attacker draining the UNI, KNC, WETH, WMATIC, USDC and SUSHI pools." "Approximately $3.5M worth of assets were drained from the AMM pools." "[T]his reentrancy was performed in an unusual location and both the SIREN team and auditors missed the exploit."
"This exploit was confirmed to be a classical reentrancy attack via MinterAmm.withdrawCapital, MinterAmm._sellOrWithdrawActiveTokens and ERC1155.safeTransferAcceptanceCheck in the ERC1155 option token contract implementation."
"1) The attacker’s Exploit Deployer address calls the exploit contract, which uses a flashloan on Aave to acquire the liquidity"
"2) Calls MinterAmm.bTokenBuy with an argument of 1000 bTokenAmount. This mints bToken and wToken, sends the bToken to the attacker, and keeps the wToken in the AMM. This will be important 3 steps ahead in MinterAmm._sellorWithdrawActiveTokens where the exploit needs the AMM to have a nonzero balance of wToken."
"3) Calls MinterAmm.provideCapital to acquire lpToken. This deposits liquidity in the AMM in exchange for lpToken. Later on this lpToken will be burned in return for a greater amount liquidity than the attacker provided."
"4) Calls MinterAmm.withdrawCapital with sellTokens equal to false. In line 355 the contract defines collateralTokenBalance. This will prove fatal later on when the contract logic fails to update this value prior to interacting with external contracts inside of MinterAmm._sellorWithdrawActiveTokens."
"5) Inside of MinterAmm._sellorWithdrawActiveTokens execution follows the branch at line 470 because sellTokens is equal to false. Then, execution follows the branch at line 483 because of the wTokens that were minted in the MinterAmm.bTokenBuy call up in step 2. Here the reentrancy attack begins with the call to erc1155Controller.safeTransferFrom."
"6) Siren’s ERC1155Controller.sol contract inherits from OpenZeppelin’s ERC1155Upgradeable.sol. ERC1155Upgradeable.safeTransferFrom calls the internal function ERC1155Upgradeable._safeTransferFrom, the final line of which is a call to the internal function. ERC1155Upgradeable._doSafeTransferAcceptanceCheck. And here an external call to the user’s address (contract) is made with the IERC1155ReceiverUpgradeable.onERC1155Received. Recall that the ERC1155 standard uses the onERC1155Received callback to protect against ERC1155 tokens being sent to a contract where they would be locked forever, because that contract cannot call ERC1155Upgradeable.safeTransferFrom. By forcing contract recipients to implement onERC1155Received, only contracts who explicitly opt in to signal receiving ERC1155 tokens will have safeTransferFrom with them as a recipient succeed. However, the onERC1155Received function is a non-view non-pure function, and so it is able to make state changes and call other contract’s functions, including re-entering back into MinterAmm.withdrawCapital. Which is exactly what this exploit does."
"7) Back in MinterAmm.withdrawCapital, the same value of collateralTokenBalance on line 355 gets used as in the original call to MinterAmm.withdrawCapital. This is the crucial exploit of the reentrancy attack, because usually subsequent calls to MinterAmm.withdrawCapital should use smaller and smaller values of collateralTokenBalance, because the collateral token gets transferred out of the AMM in line 376. But because the function call is reentrant, the AMM is tricked into removing the same amount of collateral token in each of the 2 calls to MinterAmm.withdrawCapital. By making multiple sets of calls to MinterAmm.provideCapital followed by MinterAmm.withdrawCapital reentered, the attacker was able to drain collateral token from each AMM."
"26 of LP addresses on Polygon were affected by the attack. The SIREN team plans to mint a redemption/I Owe You (IOU) token that will be issued to those addresses proportionate to their share of the affected funds. More details regarding the IOU redemption will be released next week." "The core settlement layer wasn’t affected, all open options positions are fully collateralized and can be traded or exercised as soon as the security patch is deployed and the protocol is unpaused via the DAO multisig."
"We will wrap each function which interacts with an ERC1155 token in a ReentrancyGuard. Now any attempt to re-enter into MinterAmm.withdrawCapital or other state-changing functions will revert."
"The team is currently working with investors and exchanges to identify the attacker and keep them from moving the funds. The team is offering a 10% bounty for return of funds."
"We are actively pursuing the attacker and will continue to take every measure to monitor and analyze their movements. We will use this exploit as an opportunity to strengthen our protocol. Our plan is to add more security measures and tooling to prevent future exploits. We will continue to fulfill our mission to bring DeFi options to the masses."
Siren Market is a decentralized protocol for options. The decision was made to store all funds in a smart contract hot wallet, based on the certainty of the audit by QuantStamp. However, this missed an exploit since it was in "an unusual spot". Therefore, all users face the loss of their funds unless the attacker returns the funds. While there was initial discussion of a compensation token, there are no further updates on their Medium or Twitter page in over two months, suggesting that affected users may be out by their funds.
HOW COULD THIS HAVE BEEN PREVENTED?
Hot wallets should either not store customer funds, or be insured fully through smart contract insurance or our proposed industry insurance fund.
blocksec-incidents/2021.md at main · openblocksec/blocksec-incidents · GitHub (Aug 11)
Siren (Oct 20)
Introduction - Welcome (Nov 7)
Siren Incident Report (Nov 7)
Polygon Transaction Hash (Txhash) Details | PolygonScan (Nov 7)
https://uploads-ssl.webflow.com/610fc6a1e961affb229320ba/6132826bc372ed2845ddd555_Siren%20Markets%20V2%20-%20Report.pdf (Nov 7)
@BlockSecTeam Twitter (Nov 7)
