Minterest Flash Loan Reentrancy Exploit
Notice: This page is a freshly imported case study from an original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!
[1][2][3][4][5][6][7][8][9][10][11][12][13][14][15]
About Minterest
"Yield Gets Real. Dollar for dollar Minterest delivers the highest long-term yields in DeFi." "Minterest captures more fees than any other lending protocol and redistributes them as rewards back to users who contribute to its governance with the highest long term yields."
"Made possible by DeFi’s first liquidation engine, Minterest is able to capture significantly more fees than any other protocol." "Using maximised fees, the protocol buys back its native MINTY token to distribute as rewards to users who contribute to governance. In return they receive the highest long term yields in DeFi." "Minterest sophisticated risk prediction engine supports borrowers in protecting their assets. With live alerts, the engine allows effective management of downside risk."
"Minterest is a decentralised lending protocol with a unique economic model. It captures more fees than any other lending protocol and redistributes them as rewards back to users who contribute to to its governance with the highest long term yields."
"As a lending protocol, Minterest allows users to supply, or deposit tokens to its token markets in order to receive interest in return. Users who supply tokens to a token market are known as liquidity providers."
"Liquidity providers may also borrow tokens from any token market, but doing so requires collateral to be provided in the form of tokens supplied to token markets to secure the borrowed amount and the accrual of interest. Users earn Minterest's native governance token (MINTY) as emission rewards for supplying and borrowing token assets, which are known as Standard Rewards."
"Borrowers, when interacting with the protocol contribute fees from their token assets for functions undertaken on their behalf. Minterest captures 100% of the possible fee value contributed by its users; a unique approach to DeFi lending protocols with a purpose of creating a fairer financial experience for its users."
The Reality
"Though Minterest’s code had been reviewed and fully audited multiple times, the USDY token market addition specific to Mantle Network went live unaudited. To provide greater context, the token markets on Minterest are governed by the audited mToken contract, which directly oversees markets such as USDT, USDC, and mETH. However, certain token markets, like USDY, contain unique properties. For these markets, a new token contract is created, inheriting all traits from the parent mToken contract before adding new functionality. Unfortunately, our internal code review process failed to flag the flaw and requirement for a partial security audit."
What Happened
"According to Fuzzland co-founder Chaofan Shou, the cross-chain lending protocol Minterest was attacked. The attacker used a flash loan attack, resulting in a loss of approximately $1.4 million for the protocol."
| Date | Event | Description |
|---|---|---|
| July 14th, 2024 7:24:26 AM MDT | Malicious Mantle Transaction | The malicious transaction occurs on the Mantle blockchain. |
| July 14th, 2024 10:31:00 AM MDT | Suspicious Liquidation Detected | "Unusual Liquidation Event noticed." |
| July 14th, 2024 10:51:00 AM MDT | Suspicious Activity Detected | "Initial detection of unusual activity by Sahan – our community manager – thanks to information by community member mist of an unusual liquidation, followed shortly by Hypernative Labs who reported the transaction as an exploit." |
| July 14th, 2024 11:32:00 AM MDT | Team Tweet Announcement | The Minterest team announces the exploit and that they have shut down the supply and borrow functions of the protocol. The repay and withdraw functions remain active. |
| July 14th, 2024 12:59:11 PM MDT | Blockscan Chat Message | The Minterest team places a blockchain message which is largely friendly to the hacker, assumign that they are a whitehack and offering a 10% bounty for the return of the remaining funds. |
| July 15th, 2024 1:51:00 AM MDT | Further Update Posted | The Minterest team posts an update to outline the amount taken and some additional information. |
| July 16th, 2024 4:50:35 AM MDT | Follow Up With Attacker | The Minterest team posts a follow up, again reiterating on the 10% bounty they are offering. |
| July 17th, 2024 10:24:59 AM MDT | Further Attacker Follow Up | A further follow up is sent, in which the 10% offer is reiterated, however they also provide that a bounty will be made available if the offer is not taken by a deadline of July 18 at 15:00 UTC+0. |
| July 19th, 2024 3:12:00 AM MDT | Bounty Announcement | The bounty is announced in a tweet, which offers 10% of the funds in exchange for information leading to the return of all the funds. |
| July 20th, 2024 8:41:00 AM MDT | KYC Linked Wallet Found | Satyam Singh, with username Satyams246, reports that they have found evidence of the hacker withdrawing from Bybit 2 years prior. |
| July 22nd, 2024 3:07:00 AM MDT | More Detailed Information | The protocol releases more detailed information on the exploit and what happened. |
| July 31st, 2024 2:27:05 AM MDT | CEO Letter To Community | A letter is published by the CEO of the Minterest protocol to the community. |
Technical Details
"The wallet address was initially funded by Tornado Cash, a mixer, and then used by both Stargate and Squid Router for cross chain transfers to Ethereum Mainnet."
"The attacker exploited the $mUSDY market using a flashLoan and lendRUSDY via a reentrancy attack.
This manipulation allowed them to withdraw more tokens than they should have.
This was done repeatedly, exploiting the market for $1.7M USD."
"In the flashLoan function, funds are transferred to the caller, then the caller’s callback is executed, followed by a transfer of funds back with a fee. These token transfers change the market’s cash balance, which affects the exchange rate. In the callback function, the attacker converted USDY tokens to mUSD and lent them with lendRUSDY.
Because this loan was done between two token transfers inside a flash loan, a lower exchange rate was calculated, and the attacker received more mTokens than they should have. After that, they withdrew all of the underlying tokens.
During the withdrawal action, Minterest burns the amount of mTokens based on the correct exchange rate, thus the attacker withdrew his position but still had a number of unsecured mTokens.
After repeating the operation above in a loop 25 times, they reached the equivalent of $1.7M USD in the USDY market and used it to borrow the maximum possible amount from both the WETH and mETH markets."
Total Amount Lost
"$1.4M has been stolen by a hacker in tokens mETH + WETH"
The total amount lost has been estimated at $1,400,000 USD.
Immediate Reactions
"We are currently investigating an exploit on Minterest. As a precautionary measure, we have temporarily paused some operations on the Minterest App: Paused: Supply & Borrow Active: Repay & Withdraw"
"No further actions can be taken by the exploiter at this time. We are working diligently to resolve this issue, and full operations will resume shortly."
Ultimate Outcome
"A bounty is placed on @ArkhamIntel while we work with forensics teams & law enforcement options to recover the funds."
"Our efforts to address the theft have involved extensive collaboration with forensics experts, centralised exchange partners, and bounty hunters. Although the hacker has not communicated or shown any intention to cooperate, we are committed to pursuing all avenues for recovery. We anticipate a prolonged process but remain steadfast in our efforts."
"In response to the breach, and after considering numerous options and community suggestions, we have developed the following remediation plan to restore Minterest to a stable operational status:
1. 15% Haircut for WETH & mETH: To account for the stolen funds, an approximately 15% haircut will be applied to WETH and mETH supplies. For example, if the WETH supply displayed on your Minterest Dashboard is 1 WETH, your updated balance will be approximately 0.85 WETH.
2. $MINTY Compensation: Users affected by the theft will receive $MINTY tokens equal to their share of the $1.4M stolen. These tokens will be valued at a 25% discount to the listing price (to be determined). 20% of the tokens will be unlocked at the Token Generation Event (TGE), with the remaining 80% vesting linearly over 6 months.
For example, if you lost $3,000, you will receive $MINTY tokens worth $4,000 at the listing price:
Compensation = Loss / (1 - Discount) = $3,000 / (1 - 0.25) = $4,000
Of these, $800 (20%) will be unlocked at TGE, with the rest vesting over 6 months.
This is the fastest vesting schedule among all current Minterest tokenomics buckets.
3. Yield Farming Boost: To aid recovery for those affected, WETH and mETH suppliers with a pre-exploit supply greater than $50 will receive a 40% boost in MNT and MINTY emissions for three months following the reopening. This boost is equivalent to a Level 3 NFT Boost and will override any lower percentage boosts.
4. Recovered Funds: Any funds recovered will be distributed proportionally to affected users in addition to the $MINTY compensation."
Total Amount Recovered
There do not appear to have been any funds recovered in this case.
What funds were recovered? What funds were reimbursed for those affected users?
Ongoing Developments
What parts of this case are still remaining to be concluded?
Individual Prevention Policies
No specific policies for individual prevention have yet been identified in this case.
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
Policies for platforms to take to prevent this situation have not yet been selected in this case.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
No specific regulatory policies have yet been identified in this case.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ SlowMist Hacked - SlowMist Zone (Accessed Jul 17, 2024)
- ↑ @Minterest Twitter (Accessed Aug 27, 2024)
- ↑ Mantle Transaction Hash (Txhash) Details | Mantle (Accessed Aug 27, 2024)
- ↑ @Minterest Twitter (Accessed Aug 27, 2024)
- ↑ https://etherscan.io/idm?addresses=0x0820c2782474288bb39ba3a6e4918283d158c1a5,0x618f768af6291705eb13e0b2e96600b3851911d1&type=1 (Accessed Aug 27, 2024)
- ↑ @Minterest Twitter (Accessed Aug 27, 2024)
- ↑ @Minterest Twitter (Accessed Aug 27, 2024)
- ↑ @Satyams246 Twitter (Accessed Aug 27, 2024)
- ↑ @Minterest Twitter (Accessed Aug 27, 2024)
- ↑ Minterest Remediation Plan: Next Steps for Recovery (Accessed Aug 27, 2024)
- ↑ @Minterest Twitter (Accessed Aug 27, 2024)
- ↑ @Minterest Twitter (Accessed Aug 27, 2024)
- ↑ CEO’s Letter to the Community - Minterest (Accessed Aug 27, 2024)
- ↑ Minterest Security Incident Post-Mortem Report (Accessed Aug 27, 2024)
- ↑ @Minterest Twitter (Accessed Aug 27, 2024)