QUADRIGA INITIATIVE
CRYPTO WATCHDOG & FRAUD RECOVERY PLATFORM
A COMMUNITY-BASED, NOT-FOR-PROFIT
$0 USD
JUNE 2021
GLOBAL
ZAPPER
DESCRIPTION OF EVENTS
"Your homepage to DeFi" "Track all your DeFi portfolio from one place. Invest into the latest opportunities in open finance."
"Zapper.fi is an interesting platform that lets you quickly and easily deploy and manage your DeFi positions within a single interface. With all the complexities involved with multiple yield farming positions, wouldn’t it be nice to manage your portfolio in one dashboard? That’s what Zapper.fi does. It is a DeFi portfolio management dashboard that helps you stay on top of your portfolio, liquidity pools, and liquidity mining positions."
"Zapper is a fintech platform that manages all DeFi assets from one simple interface. It levels the playing field for decentralized finance (DeFi) newcomers and the most advanced investors by providing shortcuts (Zaps) to enter DeFi lending, automated yield farming, and liquidity provisions." "Montréal, Quebec, Canada" "In 2019 [a] project called DeFiZap emerged victorious from the Kyber DeFi Virtual hackathon. DeFiZap provided one-of-a-kind DeFi onramps which softened the blow of things such as impermanent loss. DeFiZap was also one of the top grant recipients of Gitcoin Grants Round 4." "DeFiSnap was a dashboard for tracking DeFi positions. It is similar to DeFiZap in that it emerged as one of the top grant recipients of Gitcoin Grants Round 5. DeFiSnap was known for its numerous DeFi integrations. So, while it was great for tracking outstanding positions, DeFiSnap didn’t allow users to deploy capital." "In May of 2020 DeFiSnap and DeFiZap merged to create Zapper.fi. This platform combined the best of both protocols to make DeFi as accessible as possible."
"Zapper.fi is built on two actions “Zapping In” and “Zapping Out.” This just means you can enter and exit DeFi positions directly through the Zapper dashboard." "With Zapper you can invest in hundreds of DeFi strategies, saving time, effort, and gas fees along the way. You can work with the top DeFi protocols such as Balancer, Curve, Uniswap, and yearn.finance without having to visit each website."
"For instance, if you wanted to take a position in Uniswap’s ETH-DAI pool, you would have to swap for 50% ETH and 50% DAI to get into that pool. But, that would exact time costs as well as the gas costs for at least a few transactions. With Zapper.fi, you can do this in one click. So, after you’ve confirmed your trade, you’re considered to be “zapped in” to the Uniswap ETH-DAI pool."
“Everything is fragmented, it’s on a bunch of different apps living, different websites and web apps and our goal is really to reduce the friction and just have this one portal where you can track all your assets and manage and swap and farm,” Audet said.
"Whitehat Lucash-dev, a recipient of the Whitehat Scholarship at Immunefi, found a critical vulnerability in Zapper on June 9 that would have allowed a malicious user to steal LP tokens on an ongoing basis through injecting arbitrary call data."
"The Zapper team was notified of a vulnerability in our Sushiswap and Uniswap V2 Zap out contracts. This vulnerability could have allowed an attacker to transfer liquidity pool tokens (LP) from a user’s account into these contracts via malicious calldata inside the permit function. This was only possible if a user had previously granted approval for these contracts to interact with their LP and the user had an LP balance. As most users Zap out their entire balance, the attack surface for this vulnerability was limited. In addition, we have been unable to find a single instance in which this vulnerability was exploited."
"Zapper has a set of contracts that help users get positions (aka, “zap in”) in Uniswap and Sushiswap liquidity pools (LP) and another set of contracts that help them withdraw the liquidity (aka “zap out”) from the pools. To perform that task, the contracts must be approved by users to perform transfers of LP tokens on their behalf. The “Zap out” contracts (both Uniswap and Sushiswap) had a functionality (functions ZapOutWithPermit and ZapOut2PairTokenWithPermit) that allowed users to specify an arbitrary call to any liquidity pool, with arbitrary data, in order to obtain the permission to transfer funds from the user."
"Since there was no validation of the data provided by the user for the call, an attacker could pass the function the ABI-encoded data to call “transferFrom” and force the contract to transfer all LP tokens from any victim to the attacker. The end result is stealing LP tokens from the victim’s balance. The only requirement would be that the victim had previously approved the Zapper contract. Because users are expected to approve the contract, anyone submitting transactions to “Zap Out” would be a potential victim."
"Zapper patched [the] critical vulnerability after it was responsibly disclosed by Lucash-dev using Immunefi platform." "[T]he Zapper team paused the contract and issued a bug fix within 24 hours. The fix blocked the previously vulnerable function from accepting arbitrary calldata. According to Zapper’s postmortem, in the future, parameters for the permit call will be computed on-chain." "After Immunefi’s disclosure of the bug, Zapper paused its contracts using the toggleContractActive() function, which prevents the vulnerable function from being called and then issued a fix within 24 hours. Zapper is paying Lucash-dev a bounty of $25,000 for his find."
"After being notified by the Immunefi team, we immediately paused the affected contracts, thus preventing this vulnerability from being exploited. Within 24 hours, a bug fix was issued and deployed which addressed the vulnerability in the permit function. The permit function is intended to allow Zapper to broadcast token approvals on behalf of users if the function receives a cryptographically signed message from a user in addition to the calldata required to execute the approval. The bugfix will prevent this vulnerability from resurfacing in the future as calldata is no longer accepted in this function. Moving forward, all parameters required for the permit call will be computed on-chain, removing the need to accept calldata for this functionality."
"As no funds were affected, no action is required by users following this disclosure."
Zapper Finance offers a homepage for crypto traders to manage their portfolio from a central location. As part of this service, they grant Zapper the ability to pull funds out of their wallets.
A vulnerability was found where an attacker could use these same functions to steal funds of users. However, due to the responsible disclosure, the issue was fixed without loss being suffered by users.
HOW COULD THIS HAVE BEEN PREVENTED?
By connecting their wallets to the Zapper service, participating users transform it into a hot wallet. Users can protect themselves by not leaving balances in the wallet, which Zapper indicated is what most users do.
In this case, no losses happened due to responsible disclosure. Bug bounties and security audits are an excellent way to reduce risks, however they are not fool-proof.
No Title (Jul 30)
Zapper Arbitrary Call Data Bug Fix Postmortem (Jul 30)
@lucash_dev Twitter (Jul 30)
Zapper - Dashboard for DeFi (Aug 24)
Zapper.fi Tutorial: Manage & Track DeFi Assets in One Simple Interface - YouTube (Aug 24)
DeFi Deep Dive - Zapping into DeFi with Zapper.fi - Ivan on Tech Academy (Aug 24)
DeFi Dashboard Zapper Raises $15M to Build On-Platform App Store (Aug 24)
Post Mortem Sushiswap Uniswap V2 Zap Out Exploit (Aug 31)
