Zapper Arbitrary Payload Exploit

Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' section to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Zapper

Zapper Finance offers a homepage for crypto traders to manage their portfolio from a central location. As part of this service, they grant Zapper the ability to pull funds out of their wallets.

A vulnerability was found where an attacker could use these same functions to steal funds of users. However, due to the responsible disclosure, the issue was fixed without loss being suffered by users.

This is a global/international case not involving a specific country.

About Zapper

"Your homepage to DeFi" "Track all your DeFi portfolio from one place. Invest into the latest opportunities in open finance."

"Zapper.fi is an interesting platform that lets you quickly and easily deploy and manage your DeFi positions within a single interface. With all the complexities involved with multiple yield farming positions, wouldn’t it be nice to manage your portfolio in one dashboard? That’s what Zapper.fi does. It is a DeFi portfolio management dashboard that helps you stay on top of your portfolio, liquidity pools, and liquidity mining positions."

"Zapper is a fintech platform that manages all DeFi assets from one simple interface. It levels the playing field for decentralized finance (DeFi) newcomers and the most advanced investors by providing shortcuts (Zaps) to enter DeFi lending, automated yield farming, and liquidity provisions." "Montréal, Quebec, Canada" "In 2019 [a] project called DeFiZap emerged victorious from the Kyber DeFi Virtual hackathon. DeFiZap provided one-of-a-kind DeFi onramps which softened the blow of things such as impermanent loss. DeFiZap was also one of the top grant recipients of Gitcoin Grants Round 4." "DeFiSnap was a dashboard for tracking DeFi positions. It is similar to DeFiZap in that it emerged as one of the top grant recipients of Gitcoin Grants Round 5. DeFiSnap was known for its numerous DeFi integrations. So, while it was great for tracking outstanding positions, DeFiSnap didn’t allow users to deploy capital." "In May of 2020 DeFiSnap and DeFiZap merged to create Zapper.fi. This platform combined the best of both protocols to make DeFi as accessible as possible."

"Zapper.fi is built on two actions “Zapping In” and “Zapping Out.” This just means you can enter and exit DeFi positions directly through the Zapper dashboard." "With Zapper you can invest in hundreds of DeFi strategies, saving time, effort, and gas fees along the way. You can work with the top DeFi protocols such as Balancer, Curve, Uniswap, and yearn.finance without having to visit each website."

"For instance, if you wanted to take a position in Uniswap’s ETH-DAI pool, you would have to swap for 50% ETH and 50% DAI to get into that pool. But, that would exact time costs as well as the gas costs for at least a few transactions. With Zapper.fi, you can do this in one click. So, after you’ve confirmed your trade, you’re considered to be “zapped in” to the Uniswap ETH-DAI pool."

“Everything is fragmented, it’s on a bunch of different apps living, different websites and web apps and our goal is really to reduce the friction and just have this one portal where you can track all your assets and manage and swap and farm,” Audet said.

"Whitehat Lucash-dev, a recipient of the Whitehat Scholarship at Immunefi, found a critical vulnerability in Zapper on June 9 that would have allowed a malicious user to steal LP tokens on an ongoing basis through injecting arbitrary call data."

"The Zapper team was notified of a vulnerability in our Sushiswap and Uniswap V2 Zap out contracts. This vulnerability could have allowed an attacker to transfer liquidity pool tokens (LP) from a user’s account into these contracts via malicious calldata inside the permit function. This was only possible if a user had previously granted approval for these contracts to interact with their LP and the user had an LP balance. As most users Zap out their entire balance, the attack surface for this vulnerability was limited. In addition, we have been unable to find a single instance in which this vulnerability was exploited."

"Zapper has a set of contracts that help users get positions (aka, “zap in”) in Uniswap and Sushiswap liquidity pools (LP) and another set of contracts that help them withdraw the liquidity (aka “zap out”) from the pools. To perform that task, the contracts must be approved by users to perform transfers of LP tokens on their behalf. The “Zap out” contracts (both Uniswap and Sushiswap) had a functionality (functions ZapOutWithPermit and ZapOut2PairTokenWithPermit) that allowed users to specify an arbitrary call to any liquidity pool, with arbitrary data, in order to obtain the permission to transfer funds from the user."

"Since there was no validation of the data provided by the user for the call, an attacker could pass the function the ABI-encoded data to call “transferFrom” and force the contract to transfer all LP tokens from any victim to the attacker. The end result is stealing LP tokens from the victim’s balance. The only requirement would be that the victim had previously approved the Zapper contract. Because users are expected to approve the contract, anyone submitting transactions to “Zap Out” would be a potential victim."

"Zapper patched [the] critical vulnerability after it was responsibly disclosed by Lucash-dev using Immunefi platform." "[T]he Zapper team paused the contract and issued a bug fix within 24 hours. The fix blocked the previously vulnerable function from accepting arbitrary calldata. According to Zapper’s postmortem, in the future, parameters for the permit call will be computed on-chain." "After Immunefi’s disclosure of the bug, Zapper paused its contracts using the toggleContractActive() function, which prevents the vulnerable function from being called and then issued a fix within 24 hours. Zapper is paying Lucash-dev a bounty of $25,000 for his find."

"After being notified by the Immunefi team, we immediately paused the affected contracts, thus preventing this vulnerability from being exploited. Within 24 hours, a bug fix was issued and deployed which addressed the vulnerability in the permit function. The permit function is intended to allow Zapper to broadcast token approvals on behalf of users if the function receives a cryptographically signed message from a user in addition to the calldata required to execute the approval. The bugfix will prevent this vulnerability from resurfacing in the future as calldata is no longer accepted in this function. Moving forward, all parameters required for the permit call will be computed on-chain, removing the need to accept calldata for this functionality."

"As no funds were affected, no action is required by users following this disclosure."

This is a global/international case not involving a specific country.

The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.

Include:

Known history of when and how the service was started.
What problems does the company or service claim to solve?
What marketing materials were used by the firm or business?
Audits performed, and excerpts that may have been included.
Business registration documents shown (fake or legitimate).
How were people recruited to participate?
Public warnings and announcements prior to the event.

Don't Include:

Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
Anything that wasn't reasonably knowable at the time of the event.

There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

When the service was actually started (if different than the "official story").
Who actually ran a service and their own personal history.
How the service was structured behind the scenes. (For example, there was no "trading bot".)
Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.

Key Event Timeline - Zapper Arbitrary Payload Exploit
Date	Event	Description
June 9th, 2021 12:00:00 AM	Main Event	Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here.

Total Amount Lost

The total amount lost has been estimated at $0 USD.

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

Immediate Reactions

How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?

Ultimate Outcome

What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?

Total Amount Recovered

The total amount recovered has been estimated at $0 USD.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

Prevention Policies

By connecting their wallets to the Zapper service, participating users transform it into a hot wallet. Users can protect themselves by not leaving balances in the wallet, which Zapper indicated is what most users do.

In this case, no losses happened due to responsible disclosure. Bug bounties and security audits are an excellent way to reduce risks, however they are not fool-proof.