Clober DEX Unguarded Burn Function Reentrancy: Difference between revisions
(Created page with "{{Imported Case Study With About|source=https://www.quadrigainitiative.com/casestudy/cloberdexunguardedburnfunctionreentrancy.php}} {{Unattributed Sources}} thumb|Clober DEX Logo/HomepageClober DEX describes itself as the only fully on-chain order book for EVM. EVM or Ethereum Virtual Machine is the standard protocol of Ethereum and widely adopted across many other blockchains. Users can place buy/sell orders and fill each other's orders as with a...") |
No edit summary |
||
| Line 61: | Line 61: | ||
== Total Amount Lost == | == Total Amount Lost == | ||
Amount of loss: $ 501,000 based on SlowMist. | |||
The total amount lost has been estimated at $486,000 USD. | The total amount lost has been estimated at $486,000 USD. | ||
== Immediate Reactions == | == Immediate Reactions == | ||
| Line 77: | Line 77: | ||
We are working with relevant parties to track and recover the assets. Thank you for your understanding and support during this challenging time." | We are working with relevant parties to track and recover the assets. Thank you for your understanding and support during this challenging time." | ||
"Clober DEX liquidity vault on Base Network was exploited resulting in a loss of 133.7 ETH (~$501k). The root cause of the attack was a reentrancy vulnerability in the _burn() function of the Rebalancer contract." | |||
== Ultimate Outcome == | == Ultimate Outcome == | ||
Latest revision as of 16:15, 24 January 2025
Notice: This page is a freshly imported case study from an original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!
Clober DEX describes itself as the only fully on-chain order book for EVM. EVM or Ethereum Virtual Machine is the standard protocol of Ethereum and widely adopted across many other blockchains. Users can place buy/sell orders and fill each other's orders as with a traditional centralized exchange, but this can be done in a decentralized manner. The project obtained a couple of audits, including one from Trust Security, and another from Kupia Security. However, they made changes to their protocol subsequently which either introduced or exposed a potential reentrancy vulnerability. This reentrancy vulnerability was exploited by a hacker to drain 133.7 ETH, which at the time was worth slightly less than the $500k widely cited as the official loss figure. There is no official policy on refunds being provided, however Clober DEX has invited anyone who was affected to reach out to them.[1][2][3][4][5][6][7][8][9]
About Clober DEX
"The Only Fully On-chain Order Book for EVM"
"Clober presents a new algorithm for order book DEX “LOBSTER - Limit Order Book with Segment Tree for Efficient oRder-matching” that enables on-chain order matching and settlement on decentralized smart contract platforms. With Clober, market participants can place limit and market orders in a fully decentralized, trustless way at a manageable cost."
The Reality
According to Trust Security, a firm which did the audit on the original contract, a "recommended fix for a previous bug would have safeguarded the contract despite any CEI violation that would later be introduced. This is a prime example of how following best practices avoids unpredictable and tragic errors down the line."
Kupia Security notes that they "had discussed how a malicious strategy can cause harm to the Rebalancer contract. The protocol team has indicated that this was intentional and not a security issue. We provided a scenario describing a specific type of attack, which, although not a reentrancy attack, could still result in a loss of funds."
What Happened
"Clober Dex learned this the hard way when their Liquidity Vault bled $500k in yet another reentrancy exploit."
| Date | Event | Description |
|---|---|---|
| December 8th, 2024 5:22:00 AM MST | Kupia Security Audit Released | Kupia Security announces their completion of an audit on the Clober Dex smart contract. |
| December 10th, 2024 1:10:49 AM MST | Attack Transaction On Base | The attack transaction occurs on the Base blockchain. |
| December 10th, 2024 3:15:00 AM MST | Clober DEX Initial Tweet | Clober DEX posts an initial tweet about the incident which they "regret" to inform their community about. They offer the attacker a 20% bounty for returning the rest of the funds. |
| December 10th, 2024 3:39:00 AM MST | Limitations Of Breach Posted | "The security breach is limited to the Liquidity Vault on Base. We want to reassure our community that Clober Core remains unaffected, and Mitosis testnet users can continue to use the platform with confidence." |
| December 10th, 2024 3:46:00 AM MST | PeckShield Initial Tweet | PeckShield shares an initial tweet reposting the update from Clober DEX. |
| December 10th, 2024 4:21:00 AM MST | PeckShield Analysis Posted | PeckShield posts an analysis of the transaction and has traced the funds to 2 different addresses presently. |
| December 10th, 2024 5:17:00 AM MST | Support Ticket For Assistance | Clober DEX creates a post requesting for users to contact them if they were affected. |
| December 10th, 2024 7:06:00 AM MST | Nick Franklin Analysis Posted | Nick Franklin posts an analysis breakdown of what happened behind the exploit. |
Technical Details
"According to the breakdown provided by Nick Franklin, the attacker's recipe was depressingly simple: find the unguarded _burn function, abuse its burnHook callback, and watch the ETH flow."
"Clober Liquidity Vault was exploited, root cause is reentrance. "_burn" function calls "burnHook" function of pool.strategy contract, but it has no reentrancy check. Hacker deployed his own token contract and created pool with WETH and that token using "open" function, set" "pool.strategy to attack contract, now "_burn" function calls "burnHook" function of attack contract. In second "burn" function, withdrawal amount was much more because reserve value was not updated. Hacker drained all 133 WETH in vault. Keep in mind, developers, you need to" "finish state update before callback function. Also, don't forget reentrancy check."
Total Amount Lost
Amount of loss: $ 501,000 based on SlowMist.
The total amount lost has been estimated at $486,000 USD.
Immediate Reactions
"It seems today's @CloberDEX hack is due to a reentrancy issue from the burn() function. And it is further facilitated with the use of an evil strategy prepared by the hacker."
"We regret to inform our community that the Clober Liquidity Vault has been compromised in a security breach.
We want to reassure our users that the Clober protocol itself is unaffected, and all core functionalities continue to operate securely.
To the attacker: We are offering a security bounty of 20% of the stolen funds if the remaining assets are returned. Additionally, we assure you that no legal action will be taken if you comply.
Please return the funds to the following address: 0x83E66fBfB14758dA99462F389F54D4003DFB95b4
We are working with relevant parties to track and recover the assets. Thank you for your understanding and support during this challenging time."
"Clober DEX liquidity vault on Base Network was exploited resulting in a loss of 133.7 ETH (~$501k). The root cause of the attack was a reentrancy vulnerability in the _burn() function of the Rebalancer contract."
Ultimate Outcome
"The security breach is limited to the Liquidity Vault on Base. We want to reassure our community that Clober Core remains unaffected, and Mitosis testnet users can continue to use the platform with confidence."
"For anyone affected by the incident, please create a support ticket on our Discord channel for assistance."
Clober responded to Kupia Security by indicating that "[t]he issue [they] raised is NOT related to the reentrancy attack. The actual attack had nothing to do with the strategy being malicious. This response is extremely irresponsible and disappointing."
Total Amount Recovered
There do not appear to have been any funds recovered in this case.
What funds were recovered? What funds were reimbursed for those affected users?
Ongoing Developments
What parts of this case are still remaining to be concluded?
Individual Prevention Policies
No specific policies for individual prevention have yet been identified in this case.
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
Policies for platforms to take to prevent this situation have not yet been selected in this case.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
No specific regulatory policies have yet been identified in this case.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ @0xNickLFranklin Twitter (Accessed Dec 13, 2024)
- ↑ Base Transaction Hash (Txhash) Details | BaseScan (Accessed Dec 13, 2024)
- ↑ https://coinmarketcap.com/currencies/ethereum/historical-data/ (Accessed Dec 21, 2021)
- ↑ @peckshield Twitter (Accessed Dec 13, 2024)
- ↑ @CloberDEX Twitter (Accessed Dec 13, 2024)
- ↑ @CloberDEX Twitter (Accessed Dec 13, 2024)
- ↑ @trust__90 Twitter (Accessed Dec 13, 2024)
- ↑ Clober | Fully On-chain Order Book (Accessed Dec 13, 2024)
- ↑ Introduction | Clober (Accessed Dec 13, 2024)