Defi Plaza Integer Overflow

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' and 'General Prevention' sections to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Defi Plaza

Defi Plaza was a complex exchange platform focused on optimization to reduce gas fees. To facilitate faster exchanges, all the funds were stored in a smart contract hot wallet.

The hot wallet was breached due to an integer overflow which was possible when a balance was 0. This was used multiple times to extract funds.

The team has not made an announcement in over a month, but there is some indication that an announcement is forthcoming.

This is a global/international case not involving a specific country.[1][2][3][4][5][6][7][8][9][10][11]

About Defi Plaza

"DeFi Plaza is a low cost exchange which offers best in class swapping costs for 120 pairs of the most traded DeFi tokens. A highly integrated design enables the lowest gas costs in the industry combined with low swapping fees of 0.1% for all 120 trading pairs. Fundamentally improved capital efficiency enables high trading volume per unit of liquidity resulting in a competitive offering to liquidity providers despite the low transaction fees."

"Governance decisions on which tokens to list, which exchanges to launch, which fee structures to apply and so forth are made by the DAO. The token governing the DAO voting rights is distributed via a liquidity rewards program running over one year on the main exchange. The distribution follows a quadratic function to favor early adopters who take on more risk."

"Since the meteoric rise of DeFi last year we have many options to exchange tokens using several decentralised exchanges built straight onto the block chain. They work great and have been a massive boon to the fledgling DeFi industry. UniSwap could even be called the spider in the DeFi web. All is not well however, and the issue I wish to address here is that DeFi is basically becoming too expensive to use for the general public. The native Ethereum token ETH has risen tremendously in price and on top of that the gas price on the network has risen due to congestion. Moreover, the fees that most DEXs charge is in the order of 0.3% of the trade value which is just quite expensive. These high trading costs have become such a problem it’s starting to damage the growth of the DeFi ecosystem. Thus, I believe there is space in the market for an Ethereum based exchange that competes on cost. That is to say, an exchange which allows users to swap tokens at lower gas fees and lower exchange fees. To put it simply: I believe the DeFi community wants and deserves a lean, mean swapping machine."

"So why don’t we just build a DEX that has low fees? Sure, the customers who do swaps and the arbitrageurs would welcome such an exchange, but how can we convince the liquidity providers (LPs) to commit their capital to provide liquidity if the fees (which provide their revenue) are drastically reduced? There is only one answer that makes sense: by having the exchange turn over significantly higher volume per unit of liquidity. This is the objective of DeFi Plaza; To provide an exchange which offers such favourable conditions to its user base that it will generate more than enough volume to compensate the LPs for the lower level of fees."

"DeFi Plaza is our very best effort to build a low cost exchange. However, with Solidity there are many pitfalls and it is easy to make a mistake. It is entirely possible that there are mistakes in the code which could require migration to a new version or in more severe cases cause partial or complete loss of funds. The code has not been audited. The use of DeFi Plaza is at your own risk."

"DeFi Plaza, nor its team members, assume any responsibility for errors or omissions in the contents of the application. In no event shall DeFi Plaza or its team members be liable for any special, direct, indirect, consequential, or incidental damages or any damages whatsoever, whether in an action of contract, negligence or other tort, arising out of or in connection with the use of the smart contracts or the contents of the website."

"On July 11, 2021 DeFi Plaza suffered from an integer overflow vulnerability which was exploited to steal $1.1M worth of liquidity." "At block number 12804721 (Sun Jul-11-2021 07:41:36), a withdrawal transaction is included that extracts the entire balance of eXRD from the exchange." "This missing token put the exchange in a bad state, with a severe imbalance which could be exploited through further arbitrage. Twenty-two minutes later (Jul-11-2021 08:03:16) the first imbalanced swap transaction happens, followed by many more (as well as 14 more explicit abuses of the withdrawal bug) until all liquidity is removed from the DEX."

"Defi Plaza was subject of a code exploit. We are suspending operations until further notice. Remaining liquidity can still be withdrawn. Further announcements to follow."

"The removeLiquidity function suffers an uncaught numeric overflow at line 305 if the input parameter LPamount is equal to zero. The zero input edge case was missed in testing. F_ is assumed to be a 0.64 bit number but for input zero it becomes a 1.64 bit number causing the overflow."

"The initial zero-liquidity withdrawal was made by accident. This was not an attack. The first person to actually exploit the imbalanced DEX was a community member who had a stake of $1295 in the exchange. They didn’t flag the issue with the team, extracted $450k and then shared the issue with other exploiters. Another 13 wallets from outside of the community joined in shortly after to collectively extract another $719k. In the meantime the community had detected something was wrong and scrambled to recover as much liquidity as possible, collectively recovering $247k. To date (7/18/21) $605k in exploited funds have been returned to the community voluntarily. A total of $646k remains in the hands of exploit profiteers."

"An audit was scheduled, which would have certainly uncovered this item. Unfortunately, this issue manifested in reality before the audit could flag it. In a sense, we still got lucky. The trigger was accidental. Most funds were taken by opportunists, which gives a much better chance of identifying the actors and recovering the funds. Had a sophisticated attacker found this leak, they could’ve taken all DEX liquidity before we could’ve done anything at all. An emergency exchange lock was included which stops liquidity add/swaps, but not withdrawals. This is on purpose since any contract which can freeze user funds is not truly trustless. But in this case, the lock failed to fully protect funds as there was a weakness in the withdraw function itself."

"“We test in prod” sounds fun and exciting until it kicks you in the nuts. I will never launch code aimed at handling significant funds without an audit again. The exchange lock could only be triggered from a hardware wallet, which introduced a 25 min delay to activate it as by pure coincidence I was away from home at the time the issue was flagged. In v2 we’ll include mobile wallets for protective locking such that it can be locked from anywhere, by multiple people. Having an automatic exchange lock based on certain trigger conditions also another thing I’m considering doing, to be discussed with the community. The risk of periodic ‘nuisance locking’ should be well balanced with the risk of liquidity drain."

"The key USP for DefiPlaza is efficiency. A significant part of that is gas efficiency. However, maybe I’ve gone too far with that in v1. Overflow checks could be put in place for all computations which would have prevented this edge case from causing any damage even if uncaught during testing. I’ll be engaging the community shortly to get your input on several key design elements for v2 as well as gather general suggestions from the community. Overall, the community has shown great resilience in dealing with this challenge. It’s been a very painful incident for all of us, but I believe we’re growing stronger as a result of having to go through this. You have my deepest gratitude for your continued support."

The Twitter and webite were updated after the breach. "I'm gutted. Someone found an exploit in the code and drained a lot of liquidity from the exchange." "Defi Plaza was subject of a code exploit. We are suspending operations until further notice. Remaining liquidity can still be withdrawn. Further announcements to follow." There have been no further announcements.

This is a global/international case not involving a specific country.

The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.

Include:

  • Known history of when and how the service was started.
  • What problems does the company or service claim to solve?
  • What marketing materials were used by the firm or business?
  • Audits performed, and excerpts that may have been included.
  • Business registration documents shown (fake or legitimate).
  • How were people recruited to participate?
  • Public warnings and announcements prior to the event.

Don't Include:

  • Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
  • Anything that wasn't reasonably knowable at the time of the event.

There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

  • When the service was actually started (if different than the "official story").
  • Who actually ran a service and their own personal history.
  • How the service was structured behind the scenes. (For example, there was no "trading bot".)
  • Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.

Key Event Timeline - Defi Plaza Integer Overflow
Date Event Description
July 11th, 2021 Main Event Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here.

Technical Details

This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?

Total Amount Lost

The total amount lost has been estimated at $1,100,000 USD.

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

Immediate Reactions

How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?

Ultimate Outcome

What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?

Total Amount Recovered

There do not appear to have been any funds recovered in this case.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

General Prevention Policies

Placing the majority of funds in a cold multi-sig wallet would have prevented their theft. Funds could be removed from cold storage as needed for additional liquidity.

The smart contract hot wallet risk can be reduced by a security audit, and white hat hackers may assist in securing the protocol with a bug bounty program, however it is not possible to prove that a complex smart contract is completely secure.

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. No Title (Jul 24, 2021)
  2. @BeTheb0x Twitter (Jul 24, 2021)
  3. Defi Plaza liquidity loss.pdf - Google Drive (Jul 24, 2021)
  4. blocksec-incidents/2021.md at main · openblocksec/blocksec-incidents · GitHub (Aug 11, 2021)
  5. Ethereum Transaction Hash (Txhash) Details | Etherscan (Aug 11, 2021)
  6. DeFi Plaza (Aug 22, 2021)
  7. DeFi Plaza | DappRadar (Aug 22, 2021)
  8. Defi Plaza A Low Cost Dex For Ethereum (Aug 22, 2021)
  9. @DefiPlaza Twitter (Aug 28, 2021)
  10. @DefiPlaza Twitter (Aug 28, 2021)
  11. Integer Overflow in Ethereum (May 7, 2022)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Defi_Plaza_Integer_Overflow&oldid=4131"