Azoundria: Created page with "{{Imported Case Study With About|source=https://www.quadrigainitiative.com/casestudy/spectrafinanceroutingutilitycommandexploit.php}} {{Unattributed Sources}} Spectra Finance Logo/HomepageSpectra is a decentralized interest rate derivatives protocol. Users can use the service obtain a fixed rate loan, trade yield, or earn a return on their liquidity. An unfortunate vulnerability allowed tokens to be stolen from users who signed a partic..."

2024-10-25T20:04:23Z

Created page with "{{Imported Case Study With About|source=https://www.quadrigainitiative.com/casestudy/spectrafinanceroutingutilitycommandexploit.php}} {{Unattributed Sources}} thumb|Spectra Finance Logo/HomepageSpectra is a decentralized interest rate derivatives protocol. Users can use the service obtain a fixed rate loan, trade yield, or earn a return on their liquidity. An unfortunate vulnerability allowed tokens to be stolen from users who signed a partic..."

New page

{{Imported Case Study With About|source=https://www.quadrigainitiative.com/casestudy/spectrafinanceroutingutilitycommandexploit.php}}
{{Unattributed Sources}}

[[File:Spectrafinance.jpg|thumb|Spectra Finance Logo/Homepage]]Spectra is a decentralized interest rate derivatives protocol. Users can use the service obtain a fixed rate loan, trade yield, or earn a return on their liquidity. An unfortunate vulnerability allowed tokens to be stolen from users who signed a particular variant of withdrawal transaction, due to a vulnerability in the routing utility. Multiple protocol users were tricked into signing such a transaction and lost their assets. <ref name="slowmisthackedarchive-15167" /><ref name="spectrafinancetwitter-15168" /><ref name="spectrafinancetwitter-15169" /><ref name="spectrafinance-15170" /><ref name="spectrafinancedocs-15171" /><ref name="spectrafinancetwitter-15172" /><ref name="mirror-15173" /><ref name="etherscan-15174" /><ref name="etherscan-15175" /><ref name="etherscan-15176" /><ref name="spectrafinancetwitter-15177" /><ref name="etherscan-15178" /><ref name="etherscan-15179" />

== About Spectra Finance ==
"Fix Rates, Trade Yield, Earn On Your Liquidity or Build Apps"

"Individual to organisation. Basic strategy to advanced. Spectra helps you connect the dots."

"Spectra is an EVM-centric protocol for interest rate derivatives with an easy-to-use flagship app.

The Spectra protocol is permissionless, meaning its services are entirely open for public use. Anyone can create new markets at will, swap yield derivatives, or become a liquidity provider."

"Spectra is a decentralized interest rate derivatives protocol with different entities and individuals contributing to its development and adoption.

Spectra Protocol: A decentralized, permissionless interest rate protocol that permanently exists on the Ethereum Virtual Machine.

The Spectra App: a flagship interface that allows easy interactions with the Spectra protocol. Multiple protocol interfaces can exist.

Spectra Governance: A governance system for governing the Spectra Protocol, enabled by the APW token."

== The Reality ==
This sections is included if a case involved deception or information that was unknown at the time. Examples include:

* When the service was actually started (if different than the "official story").
* Who actually ran a service and their own personal history.
* How the service was structured behind the scenes. (For example, there was no "trading bot".)
* Details of what audits reported and how vulnerabilities were missed during auditing.

== What Happened ==
"DeFi protocol Spectra suffered an attack, resulting in a loss of approximately $550,000."
{| class="wikitable"
|+Key Event Timeline - Spectra Finance Routing Utility Command Exploit
!Date
!Event
!Description
|-
|June 5th, 2024 7:54:00 AM MDT
|Launch Announcement
|The Spectra Finance application is brought live and promoted on Twitter.
|-
|July 17th, 2024 9:19:23 PM MDT
|Attack Contract Created
|The attack contract is created on the blockchain.
|-
|July 23rd, 2024 9:11:11 AM MDT
|First Victim Exploited
|The attack transaction which is involved in exploiting the first victim of this attack.
|-
|July 23rd, 2024 12:16:00 PM MDT
|Spectra Finance Tweet
|The Spectra Finance team tweets an update that there was a coordinated attack against the applications user interface.
|-
|July 23rd, 2024 2:02:35 PM MDT
|TornadoCash Transfers
|The attacker starts to route the resulting funds through TornadoCash.
|-
|July 23rd, 2024 4:03:23 PM MDT
|On Chain Message To Attacker
|An on-chain message to the attacker offers them a 10% bounty and amnesty if they return the remaining funds. There is a threat of the 10% bounty applying to their capture if they do not return the funds withing a July 26th deadline.
|-
|July 24th, 2024 4:55:56 AM MDT
|Post Mortem Published
|Spectra Finance publishes a post-mortem on Medium to outline the events which happened as part of the breach.
|}

== Technical Details ==
"A suspicious Discord user, believed to be the attacker, started making false claims about issues with Spectra's YT token contracts to prompt users to withdraw funds. Those who attempted to withdraw were required to approve the transaction first, making them vulnerable to the attack."

"The incident resulted from the exploitation of a command in the routing utility contract. This command allowed Spectra users to enter and exit the pool with a token of their choice. After prompting users to leave the pool the attacker exploited the command in order to sweep funds once a user unknowingly approved the transaction on the router."

== Total Amount Lost ==
"The attacker managed to hijack user transactions, resulting in a loss of around 168 ETH. The attack occurred on Ethereum Mainnet."

The total amount lost has been estimated at $550,000 USD.

== Immediate Reactions ==
"Upon identifying the attack vector, [the Spectra] team promptly activated an incident response plan, disabling the Spectra App and terminating router contracts that enabled the attacker to hijack transactions.

As a precaution, Principal Token contracts were paused, preventing token exchanges at Curve's pool level (Spectra's primary AMM). The contracts were unpaused at approximately 9 PM UTC the very same day."

The Spectra "team’s swift reaction enabled [them] to limit the effects as a total of 4 wallets were impacted."

"Spectra has disabled the application and terminated the router contract to contain the situation, while the core protocol contract remains unaffected. Security personnel Chaofan Shou indicated that the attack stemmed from an arbitrary call in the router contract, allowing the attacker to drain all tokens approved by the contract."

== Ultimate Outcome ==
"On July 24th, Spectra released a security incident analysis report, stating that the attacker hijacked user transactions on Spectra, affecting a total of 4 wallets and causing a loss of approximately 168 ETH. The core protocol contract of Spectra remains unaffected, with the funds within the contract secure. The application was restored on the morning of July 24th."

"The Spectra App has been disabled and router contracts terminated to contain a coordinated attack on our users' interactions with the app.

The attack began today around 3 PM UTC and affected some users depositing and withdrawing from the app.

The situation is under control, the core protocol contracts are not affected and the funds inside them are safe.

The works are in full steam to reinstate the Spectra App and release a post-mortem as soon as possible."

== Total Amount Recovered ==
There do not appear to have been any funds recovered in this case.

What funds were recovered? What funds were reimbursed for those affected users?

== Ongoing Developments ==
What parts of this case are still remaining to be concluded?
== Individual Prevention Policies ==
{{Prevention:Individuals:Placeholder}}

{{Prevention:Individuals:End}}

== Platform Prevention Policies ==
{{Prevention:Platforms:Placeholder}}

{{Prevention:Platforms:End}}

== Regulatory Prevention Policies ==
{{Prevention:Regulators:Placeholder}}

{{Prevention:Regulators:End}}

== References ==
<references><ref name="slowmisthackedarchive-15167">[https://web.archive.org/web/20240826170353/https://hacked.slowmist.io/?c=&page=2 SlowMist Hacked - SlowMist Zone] (Accessed Aug 30, 2024)</ref>

<ref name="spectrafinancetwitter-15168">[https://twitter.com/spectra_finance/status/1815813300111786488 @spectra_finance Twitter] (Accessed Aug 30, 2024)</ref>

<ref name="spectrafinancetwitter-15169">[https://twitter.com/spectra_finance/status/1798352774083821882 @spectra_finance Twitter] (Accessed Aug 30, 2024)</ref>

<ref name="spectrafinance-15170">[https://www.spectra.finance/ Spectra - Open Interest Rate Derivatives Protocol] (Accessed Aug 30, 2024)</ref>

<ref name="spectrafinancedocs-15171">[https://docs.spectra.finance/ Spectra Overview | Spectra] (Accessed Aug 30, 2024)</ref>

<ref name="spectrafinancetwitter-15172">[https://twitter.com/spectra_finance/status/1816066543777612248 @spectra_finance Twitter] (Accessed Aug 30, 2024)</ref>

<ref name="mirror-15173">[https://mirror.xyz/spectraprotocol.eth/7Y1L_0y8CxA5rkneK5DAUelhb8v3GLEeGbEX39y9790 23 July 2024 Incident Post-Mortem — Spectra] (Accessed Aug 30, 2024)</ref>

<ref name="etherscan-15174">[https://etherscan.io/address/0x53635bf7b92b9512f6de0eb7450b26d5d1ad9a4c Address 0x53635bf7b92b9512f6de0eb7450b26d5d1ad9a4c | Etherscan] (Accessed Aug 30, 2024)</ref>

<ref name="etherscan-15175">[https://etherscan.io/tx/0xedaf589eeadeef73cfea85e41b6995e299dba144d1ef2a6c72f03348b72c12e3 Ethereum Transaction Hash (Txhash) Details | Etherscan] (Accessed Aug 30, 2024)</ref>

<ref name="etherscan-15176">[https://etherscan.io/tx/0x184c4273489fa81fa5d9cf6ae80080b6277712dafec408d166ed1cf9c78037fe Ethereum Transaction Hash (Txhash) Details | Etherscan] (Accessed Aug 30, 2024)</ref>

<ref name="spectrafinancetwitter-15177">[https://twitter.com/spectra_finance/status/1816066686237184461 @spectra_finance Twitter] (Accessed Aug 30, 2024)</ref>

<ref name="etherscan-15178">[https://etherscan.io/tx/0xda57ce2dc51ca7a04c797b06cb39842017da23242bc4836009fb7db293c4a253 Ethereum Transaction Hash (Txhash) Details | Etherscan] (Accessed Aug 30, 2024)</ref>

<ref name="etherscan-15179">[https://etherscan.io/tx/0x18ecbd1d74dd6f89537999680d90126b35951b499d9c4d545a35b40882153db7 Ethereum Transaction Hash (Txhash) Details | Etherscan] (Accessed Aug 30, 2024)</ref></references>

Spectra Finance Routing Utility Command Exploit - Revision history