Zabu Finance Staking Calculation Bug: Difference between revisions
(Created page with "{{Imported Case Study|source=https://www.quadrigainitiative.com/casestudy/zabufinancestakingcalculationbug.php}} thumb|Zabu FinanceZabu Finance created a large liquidity pool for the Avalanche blockchain. As is typical in exploited cases, funds were stored in a large smart contract hot wallet. In this case, there was an exploit around deflationary token handling. The team used a snapshot to re-issue tokens in an attempt to compensate affected us...") |
No edit summary |
||
| (One intermediate revision by the same user not shown) | |||
| Line 1: | Line 1: | ||
{{Imported Case Study|source=https://www.quadrigainitiative.com/casestudy/zabufinancestakingcalculationbug.php}} | {{Imported Case Study 2|source=https://www.quadrigainitiative.com/casestudy/zabufinancestakingcalculationbug.php}} | ||
{{Unattributed Sources}} | |||
[[File:Zabufinance.jpg|thumb|Zabu Finance]]Zabu Finance created a large liquidity pool for the Avalanche blockchain. As is typical in exploited cases, funds were stored in a large smart contract hot wallet. In this case, there was an exploit around deflationary token handling. The team used a snapshot to re-issue tokens in an attempt to compensate affected users. The recovery has been slow to materialize, however the team appears to be still working at it. | [[File:Zabufinance.jpg|thumb|Zabu Finance]]Zabu Finance created a large liquidity pool for the Avalanche blockchain. As is typical in exploited cases, funds were stored in a large smart contract hot wallet. In this case, there was an exploit around deflationary token handling. The team used a snapshot to re-issue tokens in an attempt to compensate affected users. The recovery has been slow to materialize, however the team appears to be still working at it. | ||
This is a global/international case not involving a specific country. | This is a global/international case not involving a specific country.<ref name="openblocksecgithub-2342" /><ref name="zabufinance-3856" /><ref name="zabudocs-3857" /><ref name="zabufinancetwitter-3858" /><ref name="cchain-3859" /><ref name="cchain-3860" /><ref name="slowmistmedium-3861" /><ref name="zabufinancetwitter-3862" /><ref name="yieldyaktwitter-3863" /><ref name="zabufinancetwitter-3864" /> | ||
== About Zabu Finance == | == About Zabu Finance == | ||
| Line 81: | Line 82: | ||
!Description | !Description | ||
|- | |- | ||
|September 12th, 2021 | |September 12th, 2021 | ||
|Main Event | |Main Event | ||
|Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here. | |Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here. | ||
| Line 89: | Line 90: | ||
| | | | ||
|} | |} | ||
== Technical Details == | |||
This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited? | |||
== Total Amount Lost == | == Total Amount Lost == | ||
| Line 108: | Line 112: | ||
== Ongoing Developments == | == Ongoing Developments == | ||
What parts of this case are still remaining to be concluded? | What parts of this case are still remaining to be concluded? | ||
== General Prevention Policies == | |||
Hot wallets should either not store customer funds, or be insured fully through smart contract insurance or our proposed industry insurance fund. | |||
== Individual Prevention Policies == | |||
{{Prevention:Individuals:Placeholder}} | |||
{{Prevention:Individuals:End}} | |||
== Platform Prevention Policies == | |||
{{Prevention:Platforms:Placeholder}} | |||
{{Prevention:Platforms:End}} | |||
== Regulatory Prevention Policies == | |||
{{Prevention:Regulators:Placeholder}} | |||
{{Prevention:Regulators:End}} | |||
== References == | == References == | ||
[https://github.com/openblocksec/blocksec-incidents/blob/main/defi/2021.md blocksec-incidents/2021.md at main · openblocksec/blocksec-incidents · GitHub] (Aug | <references><ref name="openblocksecgithub-2342">[https://github.com/openblocksec/blocksec-incidents/blob/main/defi/2021.md blocksec-incidents/2021.md at main · openblocksec/blocksec-incidents · GitHub] (Aug 11, 2021)</ref> | ||
[https://zabu.finance/ Zabu - Full-Stack DeFi Station on Avalanche] (Oct | <ref name="zabufinance-3856">[https://zabu.finance/ Zabu - Full-Stack DeFi Station on Avalanche] (Oct 20, 2021)</ref> | ||
[https://docs.zabu.finance/ Introduction - Zabu Finance - Docs] (Nov | <ref name="zabudocs-3857">[https://docs.zabu.finance/ Introduction - Zabu Finance - Docs] (Nov 7, 2021)</ref> | ||
[https://twitter.com/zabufinance/status/1436844509644537856 @zabufinance Twitter] (Nov | <ref name="zabufinancetwitter-3858">[https://twitter.com/zabufinance/status/1436844509644537856 @zabufinance Twitter] (Nov 7, 2021)</ref> | ||
[https://cchain.explorer.avax.network/address/0x9ed2D048e90CfFa5e4A778678CBc3acb8A3Abf86/transactions 0x9ed2D048e90CfFa5e4A778678CBc3acb8A3Abf86 - Avalanche Explorer] (Nov | <ref name="cchain-3859">[https://cchain.explorer.avax.network/address/0x9ed2D048e90CfFa5e4A778678CBc3acb8A3Abf86/transactions 0x9ed2D048e90CfFa5e4A778678CBc3acb8A3Abf86 - Avalanche Explorer] (Nov 7, 2021)</ref> | ||
[https://cchain.explorer.avax.network/address/0x5c9AD7b877F06e751Ee006A3F27546757BBE53Dd/transactions Contract 0x5c9AD7b877F06e751Ee006A3F27546757BBE53Dd - Avalanche Explorer] (Nov | <ref name="cchain-3860">[https://cchain.explorer.avax.network/address/0x5c9AD7b877F06e751Ee006A3F27546757BBE53Dd/transactions Contract 0x5c9AD7b877F06e751Ee006A3F27546757BBE53Dd - Avalanche Explorer] (Nov 7, 2021)</ref> | ||
[https://slowmist.medium.com/brief-analysis-of-zabu-finance-being-hacked-44243919ea29 Brief Analysis Of Zabu Finance Being Hacked] (Nov | <ref name="slowmistmedium-3861">[https://slowmist.medium.com/brief-analysis-of-zabu-finance-being-hacked-44243919ea29 Brief Analysis Of Zabu Finance Being Hacked] (Nov 7, 2021)</ref> | ||
[https://twitter.com/zabufinance/status/1436780056236331012 @zabufinance Twitter] (Nov | <ref name="zabufinancetwitter-3862">[https://twitter.com/zabufinance/status/1436780056236331012 @zabufinance Twitter] (Nov 7, 2021)</ref> | ||
[https://twitter.com/yieldyak_/status/1436786964381028352 @yieldyak_ Twitter] (Nov | <ref name="yieldyaktwitter-3863">[https://twitter.com/yieldyak_/status/1436786964381028352 @yieldyak_ Twitter] (Nov 7, 2021)</ref> | ||
[https://twitter.com/zabufinance/status/1455217326710829068 @zabufinance Twitter] (Nov | <ref name="zabufinancetwitter-3864">[https://twitter.com/zabufinance/status/1455217326710829068 @zabufinance Twitter] (Nov 7, 2021)</ref></references> | ||
Latest revision as of 19:47, 3 May 2023
Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' and 'General Prevention' sections to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!
Zabu Finance created a large liquidity pool for the Avalanche blockchain. As is typical in exploited cases, funds were stored in a large smart contract hot wallet. In this case, there was an exploit around deflationary token handling. The team used a snapshot to re-issue tokens in an attempt to compensate affected users. The recovery has been slow to materialize, however the team appears to be still working at it.
This is a global/international case not involving a specific country.[1][2][3][4][5][6][7][8][9][10]
About Zabu Finance
"A Full-Stack DeFi Station on Avalanche" "Zabu Finance is a next-gen Decentralized Finance (DeFi) project on Avalanche. Zabu Finance helps you maximize your yield through a full-fledged ecosystem with yield-aggregation, yield farming, staking, fundraising and focuses on bringing DeFi to everyone in a fun and an easy to understand way!"
"Zabu Farms allow users to earn ZUBAX by staking your Pangolin Liquidity Provider (Pangolin LP) and Trader Joe Liquidity Provider (JOE LP) tokens. Many popular token pairs are available in the platform to choose from, such as ZUBAX-AVAX or ZUBAX-USDT.e. By staking LP tokens, you're supporting the Pangolin exchange and Trader Joe exchange by providing liquidity."
"Everything was from a Pool of $SPORE Token." "Spore has Transfer Tax" similar to YELD or GarudaSwap.
"[O]n September 12, 2021, the Zabu Finance project on Avalanche suffered [a] flashloan attack." "We've been exploited today." "Spore has Transfer Tax so that the attacker used the same mechanism with attacks explained on YELD and GarudaSwap." "The attacker first created two attack contracts, then swapped WAVAX into SPORE tokens through attack contract 1 in Pangolin, and deposited the obtained SPORE tokens to ZABUFarm contract, to prepare for the subsequent acquisition of ZABU token rewards."
"Zabu Team Wallet has not sold a single Zabu. We're under an exploit, possibly from Spore Pool. We're investigating the exploit." "The attack was caused by the incompatibility between Zabu Finance’s staking model and SPORE tokens. There have been many attacks caused by such issues."
"Attacker deployed and interacted with that contract to successfully pulled out 4.5 billion ZABU tokens in Zabu Farm Contract, dumped all to Pangolin LPs and Trader Joe LPs of ZABU, stole around $600k" "The attacker first created two attack contracts, then swapped WAVAX into SPORE tokens through attack contract 1 in Pangolin, and deposited the obtained SPORE tokens to ZABUFarm contract, to prepare for the subsequent acquisition of ZABU token rewards."
"The attacker borrowed SPORE tokens from Pangolin flashloan by attack contract 2, and then began to use SPORE tokens to conduct `deposit/withdraw` operations in the ZABUFarm contract. Since SPORE tokens need to charge a certain fee during the transfer process (in the SPORE contract), the amount of SPORE tokens actually received by the ZABUFarm contract is less than the amount of staking passed in by the attacker. However, we noticed that the ZABUFarm contract directly recorded the number of staking that user received, instead of recording the actual number of tokens received by the contract, but the ZABUFarm contract allowed the user to withdraw all the staking recorded by the contract when the user took out the staking quantity. This results in the fact that the amount of SPORE tokens actually received by the attacker in the ZABUFarm contract when staking is less than the amount of tokens transferred out of the ZABUFarm contract to the attacker when the attacker withdraws."
"The attacker took advantage of the accounting defect caused by the compatibility between the ZABUFarm contract and the SPORE token, and continuously consumed the SPORE funds in the ZABUFarm contract to a very low value through the `deposit/withdraw` operation. The staking reward of the ZABUFarm contract is calculated by dividing the accumulated block rewards into the total amount of SPORE tokens staking in the contract. Therefore, when the total amount of SPORE tokens in the ZABUFarm contract is reduced to a very low value, it will undoubtedly be calculated a great reward value."
"The thief succeeded in stealing billions of ZABU tokens and dumping them on Pangolin and Trader Joe LP’s." "The attacker obtained a large amount of ZABU token rewards through the previously secured attack contract 1 in ZABUFarm, and then sold ZABU tokens."
"Zabu farmers are recommended to remove their deposits." "@yieldyak_ helped by warning Zabu Farmers to withdraw from their Vaults. We also calmed down people by showing them the team was also victim and burned all team tokens."
"We immediately realized the problem, and first priority is to protect people's funds, single assets staked are safu, ZABU related pools were affected. First was to guide people withdraw funds if they want to protect their stack"
"Then we realized all ZABU rewards in Zabu Farm was exploited. So we set rewardPerBlock to 0 to allow people to withdraw from UI (they could not do it before because there is not rewards to harvest/unstake)"
"We've not sold a single ZABU from Dev Wallet and Treasury Wallet. As all supply is reached in a bad way, we are burning all ZABU in Dev Wallet and Treasury Wallet. Let's come back from hell!"
"We're planning to take the Snapshot and move forward from this hack. The plan is to take snapshot at the time just before the exploit (pre-hack)." "However, there are some people who lost money and bought back in. So we're looking for a solution that protect people (pre-hack) but also support people who aped in post-hack."
"1. Snapshot pre-hack and distribute Zabu V2. 2. Restart V2 Farm with a Zabu V1 Staking Pool." "In that way, people who lost money pre-hack will get distributed the tokens, and continue to support the protocol if they want." "For the late buyer (post-hack), they can also participate in the Farm V2 by staking what they've bought in a Zabu V1 Staking Pool."
"The process of Snapshot might take time as we need to calculate balances of Zabu Holders, Farm Stakers (for Zabu-related Pools) and AutoFarm Stakers (for Zabu-related Pools). We might need help from @iomarkr @DeBankDeFi and @avalancheavax for that work. Then Farm V2 will be open."
"The SlowMist security team recommends that the project staking model should record the actual token changes in the contract before and after the transfer when the project staking model is connected to the deflationary token, instead of relying on the number of staking tokens passed in by the user."
"We received almost no assistance from our partners on the ecosystem, and we felt defeated. We were devastated." "We want to thank our amazing community for sticking by our developers as we have been working non-stop to rebuild from the ashes."
"The past 50 days has been very difficult for our community and extremely trying for the Zabu Finance team." "Through the exploit, we learned a hard lesson. And now, we believe we can make something even better. With our new token (ZUBAX) we plan on becoming stronger than ever before." "In just 50 days, we have been able to come back from the exploit and build the 1st decentralized launchpad on Avalanche."
"We are also actively working on new partnerships and promotions and want our investors to know that we are doing everything we can to help pay back those individuals who were affected by September’s exploit." "As ZUBAX and Zabu Finance continue to grow, we will be able to compensate those holders through our NFT buy-back program. We are actively working on rolling this out. We care about our community, and we want to move Zabu Finance forward with better communication and transparency. We have great things coming in our future, and we would love to have you come along for the ride."
This is a global/international case not involving a specific country.
The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.
Include:
- Known history of when and how the service was started.
- What problems does the company or service claim to solve?
- What marketing materials were used by the firm or business?
- Audits performed, and excerpts that may have been included.
- Business registration documents shown (fake or legitimate).
- How were people recruited to participate?
- Public warnings and announcements prior to the event.
Don't Include:
- Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
- Anything that wasn't reasonably knowable at the time of the event.
There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.
The Reality
This sections is included if a case involved deception or information that was unknown at the time. Examples include:
- When the service was actually started (if different than the "official story").
- Who actually ran a service and their own personal history.
- How the service was structured behind the scenes. (For example, there was no "trading bot".)
- Details of what audits reported and how vulnerabilities were missed during auditing.
What Happened
The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.
| Date | Event | Description |
|---|---|---|
| September 12th, 2021 | Main Event | Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here. |
Technical Details
This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?
Total Amount Lost
The total amount lost has been estimated at $3,200,000 USD.
How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?
Immediate Reactions
How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?
Ultimate Outcome
What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?
Total Amount Recovered
There do not appear to have been any funds recovered in this case.
What funds were recovered? What funds were reimbursed for those affected users?
Ongoing Developments
What parts of this case are still remaining to be concluded?
General Prevention Policies
Hot wallets should either not store customer funds, or be insured fully through smart contract insurance or our proposed industry insurance fund.
Individual Prevention Policies
No specific policies for individual prevention have yet been identified in this case.
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
Policies for platforms to take to prevent this situation have not yet been selected in this case.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
No specific regulatory policies have yet been identified in this case.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ blocksec-incidents/2021.md at main · openblocksec/blocksec-incidents · GitHub (Aug 11, 2021)
- ↑ Zabu - Full-Stack DeFi Station on Avalanche (Oct 20, 2021)
- ↑ Introduction - Zabu Finance - Docs (Nov 7, 2021)
- ↑ @zabufinance Twitter (Nov 7, 2021)
- ↑ 0x9ed2D048e90CfFa5e4A778678CBc3acb8A3Abf86 - Avalanche Explorer (Nov 7, 2021)
- ↑ Contract 0x5c9AD7b877F06e751Ee006A3F27546757BBE53Dd - Avalanche Explorer (Nov 7, 2021)
- ↑ Brief Analysis Of Zabu Finance Being Hacked (Nov 7, 2021)
- ↑ @zabufinance Twitter (Nov 7, 2021)
- ↑ @yieldyak_ Twitter (Nov 7, 2021)
- ↑ @zabufinance Twitter (Nov 7, 2021)