Dot Finance Minting Vulnerability: Difference between revisions
(Created page with "{{Imported Case Study|source=https://www.quadrigainitiative.com/casestudy/dotfinancemintingvulnerability.php}} thumb|Dot FinanceDot Finance offers an innovative yield farm. Despite two audits, their smart contract still suffered from a minting vulnerability. Their platform token dropped in value as the additional tokens were sold. There is no mention of the breach on their social media or website. It's unclear if anything was done to address it....") |
No edit summary |
||
| (One intermediate revision by the same user not shown) | |||
| Line 1: | Line 1: | ||
{{Imported Case Study|source=https://www.quadrigainitiative.com/casestudy/dotfinancemintingvulnerability.php}} | {{Imported Case Study 2|source=https://www.quadrigainitiative.com/casestudy/dotfinancemintingvulnerability.php}} | ||
{{Unattributed Sources}} | |||
[[File:Dotfinance.jpg|thumb|Dot Finance]]Dot Finance offers an innovative yield farm. Despite two audits, their smart contract still suffered from a minting vulnerability. Their platform token dropped in value as the additional tokens were sold. There is no mention of the breach on their social media or website. It's unclear if anything was done to address it. | [[File:Dotfinance.jpg|thumb|Dot Finance]]Dot Finance offers an innovative yield farm. Despite two audits, their smart contract still suffered from a minting vulnerability. Their platform token dropped in value as the additional tokens were sold. There is no mention of the breach on their social media or website. It's unclear if anything was done to address it. | ||
This is a global/international case not involving a specific country. | This is a global/international case not involving a specific country.<ref name="openblocksecgithub-2342" /><ref name="knownsecblockchainlabmedium-3693" /><ref name="inspexcomedium-3694" /><ref name="bscscan-3695" /><ref name="bscscan-3696" /><ref name="bscscan-3697" /><ref name="bscscan-3698" /><ref name="dotfinance-3699" /><ref name="firebasestorage-3700" /><ref name="dotfinancedocs-3701" /><ref name="dotfinancedocs-3702" /> | ||
== About Dot Finance == | == About Dot Finance == | ||
| Line 58: | Line 59: | ||
!Description | !Description | ||
|- | |- | ||
|August 25th, 2021 | |August 25th, 2021 | ||
|Main Event | |Main Event | ||
|Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here. | |Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here. | ||
| Line 66: | Line 67: | ||
| | | | ||
|} | |} | ||
== Technical Details == | |||
This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited? | |||
== Total Amount Lost == | == Total Amount Lost == | ||
| Line 85: | Line 89: | ||
== Ongoing Developments == | == Ongoing Developments == | ||
What parts of this case are still remaining to be concluded? | What parts of this case are still remaining to be concluded? | ||
== General Prevention Policies == | |||
== Prevention Policies == | |||
Complex smart contracts can generally not be considered secure, however one method of mitigation might be to ensure that the minting always involves a multi-sig of trusted team members. To reduce burdens, tokens can get minted only with multi-sig approval, and sit in the smart contract hot wallet, from which they are distributed. This prevents additional minting and provides an upper cap to the possible breach. | Complex smart contracts can generally not be considered secure, however one method of mitigation might be to ensure that the minting always involves a multi-sig of trusted team members. To reduce burdens, tokens can get minted only with multi-sig approval, and sit in the smart contract hot wallet, from which they are distributed. This prevents additional minting and provides an upper cap to the possible breach. | ||
Typical methods of dealing with a breach are to launch a second token and provide it to the original affected users based on what they had prior to the breach. This requires special care for situations where tokens were bought or sold after the breach. | Typical methods of dealing with a breach are to launch a second token and provide it to the original affected users based on what they had prior to the breach. This requires special care for situations where tokens were bought or sold after the breach. | ||
== Individual Prevention Policies == | |||
{{Prevention:Individuals:Placeholder}} | |||
{{Prevention:Individuals:End}} | |||
== Platform Prevention Policies == | |||
{{Prevention:Platforms:Placeholder}} | |||
{{Prevention:Platforms:End}} | |||
== Regulatory Prevention Policies == | |||
{{Prevention:Regulators:Placeholder}} | |||
{{Prevention:Regulators:End}} | |||
== References == | == References == | ||
[https://github.com/openblocksec/blocksec-incidents/blob/main/defi/2021.md blocksec-incidents/2021.md at main · openblocksec/blocksec-incidents · GitHub] (Aug | <references><ref name="openblocksecgithub-2342">[https://github.com/openblocksec/blocksec-incidents/blob/main/defi/2021.md blocksec-incidents/2021.md at main · openblocksec/blocksec-incidents · GitHub] (Aug 11, 2021)</ref> | ||
[https://medium.com/@Knownsec_Blockchain_Lab/knowsec-blockchain-lab-dot-finance-flash-loan-security-incident-analysis-98f7b5707a15 https://medium.com/@Knownsec_Blockchain_Lab/knowsec-blockchain-lab-dot-finance-flash-loan-security-incident-analysis-98f7b5707a15] (Sep | <ref name="knownsecblockchainlabmedium-3693">[https://medium.com/@Knownsec_Blockchain_Lab/knowsec-blockchain-lab-dot-finance-flash-loan-security-incident-analysis-98f7b5707a15 https://medium.com/@Knownsec_Blockchain_Lab/knowsec-blockchain-lab-dot-finance-flash-loan-security-incident-analysis-98f7b5707a15] (Sep 19, 2021)</ref> | ||
[https://inspexco.medium.com/collection-of-insecure-ways-for-mint-amount-calculation-dot-finance-incident-analysis-15b901af4475 Collection Of Insecure Ways For Mint Amount Calculation Dot Finance Incident Analysis] (Sep | <ref name="inspexcomedium-3694">[https://inspexco.medium.com/collection-of-insecure-ways-for-mint-amount-calculation-dot-finance-incident-analysis-15b901af4475 Collection Of Insecure Ways For Mint Amount Calculation Dot Finance Incident Analysis] (Sep 19, 2021)</ref> | ||
[https://bscscan.com/address/0xDFD78a977c08221822F6699AD933869Da6d9720C Address 0xDFD78a977c08221822F6699AD933869Da6d9720C | BscScan] (Oct | <ref name="bscscan-3695">[https://bscscan.com/address/0xDFD78a977c08221822F6699AD933869Da6d9720C Address 0xDFD78a977c08221822F6699AD933869Da6d9720C | BscScan] (Oct 7, 2021)</ref> | ||
[https://bscscan.com/address/0x33f9bB37d60Fa6424230e6Cf11b2d47Db424C879 Contract Address 0x33f9bB37d60Fa6424230e6Cf11b2d47Db424C879 | BscScan] (Oct | <ref name="bscscan-3696">[https://bscscan.com/address/0x33f9bB37d60Fa6424230e6Cf11b2d47Db424C879 Contract Address 0x33f9bB37d60Fa6424230e6Cf11b2d47Db424C879 | BscScan] (Oct 7, 2021)</ref> | ||
[https://bscscan.com/tx/0x68170a309ab2e944e178ccf9bf6f19e25a3f356031ce53539bb9669fc77172f2 Binance Transaction Hash (Txhash) Details | BscScan] (Oct | <ref name="bscscan-3697">[https://bscscan.com/tx/0x68170a309ab2e944e178ccf9bf6f19e25a3f356031ce53539bb9669fc77172f2 Binance Transaction Hash (Txhash) Details | BscScan] (Oct 7, 2021)</ref> | ||
[https://www.bscscan.com/address/0xfc3920bcffb412e2686e76c194cd8935bd651a90#code Contract Address 0xfc3920bcffb412e2686e76c194cd8935bd651a90 | BscScan] (Oct | <ref name="bscscan-3698">[https://www.bscscan.com/address/0xfc3920bcffb412e2686e76c194cd8935bd651a90#code Contract Address 0xfc3920bcffb412e2686e76c194cd8935bd651a90 | BscScan] (Oct 7, 2021)</ref> | ||
[https://dot.finance/ Dot Finance | Experience the future of DeFi] (Oct | <ref name="dotfinance-3699">[https://dot.finance/ Dot Finance | Experience the future of DeFi] (Oct 7, 2021)</ref> | ||
[https://firebasestorage.googleapis.com/v0/b/gitbook-28427.appspot.com/o/assets%2F-M_CaMTpZw2UU5MkRroL%2F-MkmjS4unVTrNdyKejYh%2F-MkmkrxKRXI2J2DEVzvT%2FDOTFinance%20SC%20Audit%20-%20Hacken.pdf?alt=media&token=19fb215c-d8a2-496b-893c-ceea2206f903 https://firebasestorage.googleapis.com/v0/b/gitbook-28427.appspot.com/o/assets%2F-M_CaMTpZw2UU5MkRroL%2F-MkmjS4unVTrNdyKejYh%2F-MkmkrxKRXI2J2DEVzvT%2FDOTFinance%20SC%20Audit%20-%20Hacken.pdf?alt=media&token=19fb215c-d8a2-496b-893c-ceea2206f903] (Oct | <ref name="firebasestorage-3700">[https://firebasestorage.googleapis.com/v0/b/gitbook-28427.appspot.com/o/assets%2F-M_CaMTpZw2UU5MkRroL%2F-MkmjS4unVTrNdyKejYh%2F-MkmkrxKRXI2J2DEVzvT%2FDOTFinance%20SC%20Audit%20-%20Hacken.pdf?alt=media&token=19fb215c-d8a2-496b-893c-ceea2206f903 https://firebasestorage.googleapis.com/v0/b/gitbook-28427.appspot.com/o/assets%2F-M_CaMTpZw2UU5MkRroL%2F-MkmjS4unVTrNdyKejYh%2F-MkmkrxKRXI2J2DEVzvT%2FDOTFinance%20SC%20Audit%20-%20Hacken.pdf?alt=media&token=19fb215c-d8a2-496b-893c-ceea2206f903] (Oct 7, 2021)</ref> | ||
[https://docs.dot.finance/ https://docs.dot.finance/] (Oct | <ref name="dotfinancedocs-3701">[https://docs.dot.finance/ https://docs.dot.finance/] (Oct 7, 2021)</ref> | ||
[https://docs.dot.finance/guides/how-to-guide https://docs.dot.finance/guides/how-to-guide] (Oct | <ref name="dotfinancedocs-3702">[https://docs.dot.finance/guides/how-to-guide https://docs.dot.finance/guides/how-to-guide] (Oct 7, 2021)</ref></references> | ||
Latest revision as of 19:28, 3 May 2023
Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' and 'General Prevention' sections to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!
Dot Finance offers an innovative yield farm. Despite two audits, their smart contract still suffered from a minting vulnerability. Their platform token dropped in value as the additional tokens were sold. There is no mention of the breach on their social media or website. It's unclear if anything was done to address it.
This is a global/international case not involving a specific country.[1][2][3][4][5][6][7][8][9][10][11]
About Dot Finance
"DeFi Aggregator for the Polkadot Ecosystem. Maximize your returns with innovative yield optimization strategies." "Dot.Finance was developed to spur Polkadot’s growth trajectory by reducing barriers to participation while maximizing the performance and efficiency of assets and tokens that are deployed to different DeFi products."
"Dot.Finance is designed to bring DeFi to a wide range of users and will help increase user exposure to the many benefits of the Polkadot ecosystem. This will help grow adoption of not just the Polkadot framework but the many new DeFi products and services that Dot.Finance is building on top of Polkadot’s safe, secure, and resilient architecture."
"To use Dot.Finance farms you must have the farm's LP (liquidity Pool) token from PancakeSwap (PCS) - also known as "Flip" tokens. To get LP tokens you must provide liquidity for it's pool on PCS with it's underlying tokens. e.g. for the DOT-BNB LP token, you need DOT and BNB tokens."
"Starting from Aug 25, 2021, 09:06:30 AM UTC," "Dot Finance, the DeFi protocol on the BSC chain, was attacked by flash loans."
"The ultimate goal behind these attacks is to manipulate profit used by performanceFee for calculating the minting amount. We can trace back this attack chain simply by looking at mintFor functions." "amountPinkToMint() function takes contribution which is calculated from the value of asset and _performanceFee. The manipulated profit can be clearly seen by debugging function calls associated with the transaction."
Attack process: "(1) Hackers use PancakeSwap flash loan to obtain initial funds of 100 Cake tokens. (2) By inserting Cake tokens into the VaultPinkBNB contract, the getReward function can be used to obtain the real value of the Cake tokens of the contract. At the same time, the performanceFee parameter is greatly affected by the real value of Cake tokens. (3) Finally, the mintFor function uses the affected performanceFee parameters to mint a large amount of pink tokens to reward hackers."
"We suspect that this flaw might be inherited by forking other platform codes without properly eradicating or remediating the root cause. With the condition that the TVL of the affected pool must be very low, an attacker has to act fast to initiate a profitable attack."
"[I]ts value dropped by nearly 35%."
This is a global/international case not involving a specific country.
The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.
Include:
- Known history of when and how the service was started.
- What problems does the company or service claim to solve?
- What marketing materials were used by the firm or business?
- Audits performed, and excerpts that may have been included.
- Business registration documents shown (fake or legitimate).
- How were people recruited to participate?
- Public warnings and announcements prior to the event.
Don't Include:
- Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
- Anything that wasn't reasonably knowable at the time of the event.
There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.
The Reality
This sections is included if a case involved deception or information that was unknown at the time. Examples include:
- When the service was actually started (if different than the "official story").
- Who actually ran a service and their own personal history.
- How the service was structured behind the scenes. (For example, there was no "trading bot".)
- Details of what audits reported and how vulnerabilities were missed during auditing.
What Happened
The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.
| Date | Event | Description |
|---|---|---|
| August 25th, 2021 | Main Event | Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here. |
Technical Details
This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?
Total Amount Lost
The total amount lost has been estimated at $429,000 USD.
How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?
Immediate Reactions
How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?
Ultimate Outcome
What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?
Total Amount Recovered
There do not appear to have been any funds recovered in this case.
What funds were recovered? What funds were reimbursed for those affected users?
Ongoing Developments
What parts of this case are still remaining to be concluded?
General Prevention Policies
Complex smart contracts can generally not be considered secure, however one method of mitigation might be to ensure that the minting always involves a multi-sig of trusted team members. To reduce burdens, tokens can get minted only with multi-sig approval, and sit in the smart contract hot wallet, from which they are distributed. This prevents additional minting and provides an upper cap to the possible breach.
Typical methods of dealing with a breach are to launch a second token and provide it to the original affected users based on what they had prior to the breach. This requires special care for situations where tokens were bought or sold after the breach.
Individual Prevention Policies
No specific policies for individual prevention have yet been identified in this case.
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
Policies for platforms to take to prevent this situation have not yet been selected in this case.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
No specific regulatory policies have yet been identified in this case.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ blocksec-incidents/2021.md at main · openblocksec/blocksec-incidents · GitHub (Aug 11, 2021)
- ↑ https://medium.com/@Knownsec_Blockchain_Lab/knowsec-blockchain-lab-dot-finance-flash-loan-security-incident-analysis-98f7b5707a15 (Sep 19, 2021)
- ↑ Collection Of Insecure Ways For Mint Amount Calculation Dot Finance Incident Analysis (Sep 19, 2021)
- ↑ Address 0xDFD78a977c08221822F6699AD933869Da6d9720C | BscScan (Oct 7, 2021)
- ↑ Contract Address 0x33f9bB37d60Fa6424230e6Cf11b2d47Db424C879 | BscScan (Oct 7, 2021)
- ↑ Binance Transaction Hash (Txhash) Details | BscScan (Oct 7, 2021)
- ↑ Contract Address 0xfc3920bcffb412e2686e76c194cd8935bd651a90 | BscScan (Oct 7, 2021)
- ↑ Dot Finance | Experience the future of DeFi (Oct 7, 2021)
- ↑ https://firebasestorage.googleapis.com/v0/b/gitbook-28427.appspot.com/o/assets%2F-M_CaMTpZw2UU5MkRroL%2F-MkmjS4unVTrNdyKejYh%2F-MkmkrxKRXI2J2DEVzvT%2FDOTFinance%20SC%20Audit%20-%20Hacken.pdf?alt=media&token=19fb215c-d8a2-496b-893c-ceea2206f903 (Oct 7, 2021)
- ↑ https://docs.dot.finance/ (Oct 7, 2021)
- ↑ https://docs.dot.finance/guides/how-to-guide (Oct 7, 2021)