Iron Finance Burned: Difference between revisions
(Created page with "{{Imported Case Study|source=https://www.quadrigainitiative.com/casestudy/ironfinanceburned.php}} thumb|Iron FinanceIron Finance offered a new form of stablecoin which took a hybrid approach. A couple of liquidity pools on the platform were used to exchange between their "Iron" token and SIL or BUSD. These pools were breached. The project appears to have made an effort to reimburse affected users in full. This is a global/international case n...") |
No edit summary |
||
| (One intermediate revision by the same user not shown) | |||
| Line 1: | Line 1: | ||
{{Imported Case Study|source=https://www.quadrigainitiative.com/casestudy/ironfinanceburned.php}} | {{Imported Case Study 2|source=https://www.quadrigainitiative.com/casestudy/ironfinanceburned.php}} | ||
{{Unattributed Sources}} | |||
[[File:Ironfinance.jpg|thumb|Iron Finance]]Iron Finance offered a new form of stablecoin which took a hybrid approach. | [[File:Ironfinance.jpg|thumb|Iron Finance]]Iron Finance offered a new form of stablecoin which took a hybrid approach. | ||
| Line 7: | Line 8: | ||
The project appears to have made an effort to reimburse affected users in full. | The project appears to have made an effort to reimburse affected users in full. | ||
This is a global/international case not involving a specific country. | This is a global/international case not involving a specific country.<ref name="slowmisthacked-678" /><ref name="youtube-938" /><ref name="ironfinancetwitter-939" /><ref name="zephyrnet-940" /><ref name="beincrypto-941" /><ref name="ironfinancemedium-942" /><ref name="valuedefiannouncementstelegram-943" /><ref name="bscscan-944" /><ref name="bscdotnews-945" /><ref name="ironfinancemedium-946" /><ref name="reddit-947" /><ref name="googledoc-948" /><ref name="ironfinancetwitter-949" /><ref name="openblocksecgithub-2342" /> | ||
== About Iron Finance == | == About Iron Finance == | ||
| Line 35: | Line 36: | ||
Don't Include: | Don't Include: | ||
* Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed. | * Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed. | ||
* Anything that wasn't reasonably knowable at the time of the event. | * Anything that wasn't reasonably knowable at the time of the event. | ||
| Line 56: | Line 56: | ||
!Description | !Description | ||
|- | |- | ||
|March 16th, 2021 | |March 16th, 2021 | ||
| | |Main Event | ||
| | |Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here. | ||
|- | |- | ||
| | | | ||
| Line 68: | Line 64: | ||
| | | | ||
|} | |} | ||
== Technical Details == | |||
This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited? | |||
== Total Amount Lost == | == Total Amount Lost == | ||
The total amount lost | The total amount lost has been estimated at $170,000 USD. | ||
How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie? | How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie? | ||
| Line 81: | Line 80: | ||
== Total Amount Recovered == | == Total Amount Recovered == | ||
There do not appear to have been any funds recovered in this case. | |||
What funds were recovered? What funds were reimbursed for those affected users? | What funds were recovered? What funds were reimbursed for those affected users? | ||
| Line 87: | Line 86: | ||
== Ongoing Developments == | == Ongoing Developments == | ||
What parts of this case are still remaining to be concluded? | What parts of this case are still remaining to be concluded? | ||
== General Prevention Policies == | |||
== Prevention Policies == | |||
Decentralized smart contracts are essentially hot wallets. It is impossible to prove the security. | Decentralized smart contracts are essentially hot wallets. It is impossible to prove the security. | ||
If funds can't be stored in an offline multi-signature wallet, then a fund should be available for reimbursement of the full amount. | If funds can't be stored in an offline multi-signature wallet, then a fund should be available for reimbursement of the full amount. | ||
== Individual Prevention Policies == | |||
{{Prevention:Individuals:Placeholder}} | |||
{{Prevention:Individuals:End}} | |||
== Platform Prevention Policies == | |||
{{Prevention:Platforms:Placeholder}} | |||
{{Prevention:Platforms:End}} | |||
== Regulatory Prevention Policies == | |||
{{Prevention:Regulators:Placeholder}} | |||
{{Prevention:Regulators:End}} | |||
== References == | == References == | ||
[https://hacked.slowmist.io/en/?c=ETH%20DApp SlowMist Hacked - SlowMist Zone] (May | <references><ref name="slowmisthacked-678">[https://hacked.slowmist.io/en/?c=ETH%20DApp SlowMist Hacked - SlowMist Zone] (May 18, 2021)</ref> | ||
[https://www.youtube.com/watch?v=bYWsOpfAJW0 Mint and Redeem on Iron Finance - YouTube] (May | <ref name="youtube-938">[https://www.youtube.com/watch?v=bYWsOpfAJW0 Mint and Redeem on Iron Finance - YouTube] (May 25, 2021)</ref> | ||
[https://twitter.com/IronFinance/status/1371834334454411266 @IronFinance Twitter] (May | <ref name="ironfinancetwitter-939">[https://twitter.com/IronFinance/status/1371834334454411266 @IronFinance Twitter] (May 25, 2021)</ref> | ||
[https://zephyrnet.com/iron-finance-defi-exploit-explained-in-post-mortem/ Iron Finance DeFi Exploit Explained in Post Mortem] (May | <ref name="zephyrnet-940">[https://zephyrnet.com/iron-finance-defi-exploit-explained-in-post-mortem/ Iron Finance DeFi Exploit Explained in Post Mortem] (May 26, 2021)</ref> | ||
[https://beincrypto.com/iron-finance-defi-exploit-explained-post-mortem/ Iron Finance DeFi Exploit Explained in Post Mortem - BeInCrypto] (May | <ref name="beincrypto-941">[https://beincrypto.com/iron-finance-defi-exploit-explained-post-mortem/ Iron Finance DeFi Exploit Explained in Post Mortem - BeInCrypto] (May 26, 2021)</ref> | ||
[https://ironfinance.medium.com/iron-finance-vfarms-incident-post-mortem-16-march-2021-114e58d1eaac Iron Finance Vfarms Incident Post Mortem 16 March 2021] (May | <ref name="ironfinancemedium-942">[https://ironfinance.medium.com/iron-finance-vfarms-incident-post-mortem-16-march-2021-114e58d1eaac Iron Finance Vfarms Incident Post Mortem 16 March 2021] (May 26, 2021)</ref> | ||
[https://t.me/ValueDefi_Announcements/325 Telegram: Contact @ValueDefi_Announcements] (May | <ref name="valuedefiannouncementstelegram-943">[https://t.me/ValueDefi_Announcements/325 Telegram: Contact @ValueDefi_Announcements] (May 26, 2021)</ref> | ||
[https://bscscan.com/address/0x69655181a55755adc854cd35c15995393f63e9e5 Address 0x69655181a55755adc854cd35c15995393f63e9e5 | BscScan] (May | <ref name="bscscan-944">[https://bscscan.com/address/0x69655181a55755adc854cd35c15995393f63e9e5 Address 0x69655181a55755adc854cd35c15995393f63e9e5 | BscScan] (May 26, 2021)</ref> | ||
[https://www.bsc.news/post/iron-finance-the-first-partial-collateralized-stablecoin-on-binance-smart-chain Iron Finance: The First Partial-Collateralized Stablecoin on Binance Smart Chain] (May | <ref name="bscdotnews-945">[https://www.bsc.news/post/iron-finance-the-first-partial-collateralized-stablecoin-on-binance-smart-chain Iron Finance: The First Partial-Collateralized Stablecoin on Binance Smart Chain] (May 26, 2021)</ref> | ||
[https://ironfinance.medium.com/iron-the-first-partial-collateralized-stablecoin-on-binance-smart-chain-8c22c426cace Iron The First Partial Collateralized Stablecoin On Binance Smart Chain] (May | <ref name="ironfinancemedium-946">[https://ironfinance.medium.com/iron-the-first-partial-collateralized-stablecoin-on-binance-smart-chain-8c22c426cace Iron The First Partial Collateralized Stablecoin On Binance Smart Chain] (May 26, 2021)</ref> | ||
[https://www.reddit.com/r/IronFinance/comments/n3vg9q/what_is_iron_finance/ What is IRON Finance? : IronFinance] (May | <ref name="reddit-947">[https://www.reddit.com/r/IronFinance/comments/n3vg9q/what_is_iron_finance/ What is IRON Finance? : IronFinance] (May 26, 2021)</ref> | ||
[https://docs.google.com/forms/d/e/1FAIpQLSf1E8fNZWexobzxt-YKrm5Clh6xLnoMpsB-VE0NVdSvlsUBtQ/viewform Iron Finance vFarms incident (16 March 2021)] (May | <ref name="googledoc-948">[https://docs.google.com/forms/d/e/1FAIpQLSf1E8fNZWexobzxt-YKrm5Clh6xLnoMpsB-VE0NVdSvlsUBtQ/viewform Iron Finance vFarms incident (16 March 2021)] (May 26, 2021)</ref> | ||
[https://twitter.com/IronFinance/status/1371864213942046723 @IronFinance Twitter] (May | <ref name="ironfinancetwitter-949">[https://twitter.com/IronFinance/status/1371864213942046723 @IronFinance Twitter] (May 26, 2021)</ref> | ||
[https://github.com/openblocksec/blocksec-incidents/blob/main/defi/2021.md blocksec-incidents/2021.md at main · openblocksec/blocksec-incidents · GitHub] (Aug | <ref name="openblocksecgithub-2342">[https://github.com/openblocksec/blocksec-incidents/blob/main/defi/2021.md blocksec-incidents/2021.md at main · openblocksec/blocksec-incidents · GitHub] (Aug 11, 2021)</ref></references> | ||
Latest revision as of 12:59, 2 May 2023
Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' and 'General Prevention' sections to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!
Iron Finance offered a new form of stablecoin which took a hybrid approach.
A couple of liquidity pools on the platform were used to exchange between their "Iron" token and SIL or BUSD. These pools were breached.
The project appears to have made an effort to reimburse affected users in full.
This is a global/international case not involving a specific country.[1][2][3][4][5][6][7][8][9][10][11][12][13][14]
About Iron Finance
Iron Finance offers "a Partially-collateralized Stablecoin on the Binance Smart Chain". The iron token is "pegged to $1, partly backed by collateral like BUSD, and partially backed by STEEL. The collateralized ratio (CR), which is the collateralized and algorithmic ratio, depends on the market pricing of IRON. If the market demand for IRON is high, the system can be de-collateralized by decreasing the CR vis-a-vis when the demand is decreased."
"The latest decentralized finance protocol to get exploited is Iron Finance. The platform lost $170,000 from its liquidity pools following erroneous actions by the team." "Two vFarm liquidity pools (50% IRON—50% SIL pool; 50% IRON—50% BUSD pool) lost a total of 170,000 US dollars. Later, the official publication of the incident stated that: 1. The cause of the attack was due to the upgrade of the cloud service (FaaS) and the change in the reward rate integer, but the official team was not aware of the problem. Later, an attacker made a profit of 170,000 U.S. dollars by selling all the local token SIL rewards. 2. The Iron Finance smart contract has no loopholes. 3. vFarms will be restarted on March 18th, and SIL tokens will be restarted to sIRON. 4. Users should not sell or exchange IRON tokens for the time being. When the new pool is restarted, the full amount of BUSD can be redeemed. The Iron Finance agreement was launched on the BSC in early March. The IRON stablecoin is pegged to the U.S. dollar, partly backed by collateral such as BUSD and USDT, and partly backed by the SIL algorithm."
As explained by Value DeFi: "There has been an upgrade on FaaS, in which the reward rate is in normal integer instead of Ggwei as before. Unfortunately, Iron.Finance team was unware of the change and updated Iron vFarm pools with reward rate in Gwei. This caused the pools' rewards inflated by 10^18 times."
"Two Iron Finance vFarm pools were recently subject to an incident that resulted in the loss of user deposits." "A user who farmed in these two pools, claimed all SIL rewards allocated for farming over the next 12 months and made a profit of around $170k by selling SIL for BUSD on vSwap." "The bad actor(s) made off with $170,000 worth of its native SIL tokens. These were then sold for BUSD (Binance’s stablecoin) on the markets."
"It explained that vFarms will be relaunched on March 18 and the SIL token will be relaunched as sIRON. Iron Finance also published a document for affected users to enter their details. This is likely to help coordinate a refund process for the new tokens." "If you are an affected user by the Iron Finance vFarms incident (16 March 2021)" "Please fill out the following form. If you had more than 1 address with SIL or IRON, please submit these in separate forms."
This is a global/international case not involving a specific country.
The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.
Include:
- Known history of when and how the service was started.
- What problems does the company or service claim to solve?
- What marketing materials were used by the firm or business?
- Audits performed, and excerpts that may have been included.
- Business registration documents shown (fake or legitimate).
- How were people recruited to participate?
- Public warnings and announcements prior to the event.
Don't Include:
- Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
- Anything that wasn't reasonably knowable at the time of the event.
There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.
The Reality
This sections is included if a case involved deception or information that was unknown at the time. Examples include:
- When the service was actually started (if different than the "official story").
- Who actually ran a service and their own personal history.
- How the service was structured behind the scenes. (For example, there was no "trading bot".)
- Details of what audits reported and how vulnerabilities were missed during auditing.
What Happened
The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.
| Date | Event | Description |
|---|---|---|
| March 16th, 2021 | Main Event | Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here. |
Technical Details
This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?
Total Amount Lost
The total amount lost has been estimated at $170,000 USD.
How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?
Immediate Reactions
How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?
Ultimate Outcome
What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?
Total Amount Recovered
There do not appear to have been any funds recovered in this case.
What funds were recovered? What funds were reimbursed for those affected users?
Ongoing Developments
What parts of this case are still remaining to be concluded?
General Prevention Policies
Decentralized smart contracts are essentially hot wallets. It is impossible to prove the security.
If funds can't be stored in an offline multi-signature wallet, then a fund should be available for reimbursement of the full amount.
Individual Prevention Policies
No specific policies for individual prevention have yet been identified in this case.
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
Policies for platforms to take to prevent this situation have not yet been selected in this case.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
No specific regulatory policies have yet been identified in this case.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ SlowMist Hacked - SlowMist Zone (May 18, 2021)
- ↑ Mint and Redeem on Iron Finance - YouTube (May 25, 2021)
- ↑ @IronFinance Twitter (May 25, 2021)
- ↑ Iron Finance DeFi Exploit Explained in Post Mortem (May 26, 2021)
- ↑ Iron Finance DeFi Exploit Explained in Post Mortem - BeInCrypto (May 26, 2021)
- ↑ Iron Finance Vfarms Incident Post Mortem 16 March 2021 (May 26, 2021)
- ↑ Telegram: Contact @ValueDefi_Announcements (May 26, 2021)
- ↑ Address 0x69655181a55755adc854cd35c15995393f63e9e5 | BscScan (May 26, 2021)
- ↑ Iron Finance: The First Partial-Collateralized Stablecoin on Binance Smart Chain (May 26, 2021)
- ↑ Iron The First Partial Collateralized Stablecoin On Binance Smart Chain (May 26, 2021)
- ↑ What is IRON Finance? : IronFinance (May 26, 2021)
- ↑ Iron Finance vFarms incident (16 March 2021) (May 26, 2021)
- ↑ @IronFinance Twitter (May 26, 2021)
- ↑ blocksec-incidents/2021.md at main · openblocksec/blocksec-incidents · GitHub (Aug 11, 2021)