ODOS Protocol Audited Executor Validation Vulnerability

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from the original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. Please help restructure the content by moving information from the 'General Prevention' sections to other prevention sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Odos Protocol Log/Homepage

On January 23, 2025, a vulnerability in Odos Protocol’s OdosLimitOrderRouter contract was exploited, resulting in the theft of around $50,000 on Ethereum and Base. The attacker exploited an arbitrary call vulnerability, where unverified user input was combined with a pre-compiled 0x4 Identity contract to bypass the signature validation mechanism and steal tokens. The incident emphasizes the need for thorough security audits, not just for initial versions, but for any new features added to prevent similar vulnerabilities in the future. No user funds were lost. All funds lost were platform profits.[1][2][3][4][5][6][7][8]

About Odos Protocol

Odos Protocol is a decentralized finance (DeFi) platform designed to optimize trading by providing smarter, more efficient solutions. It offers seamless token swaps, flexible strategies like limit orders, and advanced customization options for traders. Odos uses sophisticated routing algorithms to maximize token output by sourcing liquidity from hundreds of sources, minimizing fees, and offering better rates. It supports a wide range of tokens, including blue-chip and niche assets, and simplifies complex processes like market arbitrage and multi-token transactions. Odos also provides powerful APIs for developers to integrate advanced token swaps and liquidity aggregation into their platforms.

Odos Protocol uses a proprietary Smart Order Routing (SOR) algorithm to aggregate decentralized exchanges (DEX) and find optimal routes for cryptocurrency token swaps. As the number of DEXs and liquidity sources grows, Odos efficiently navigates complex, non-linear paths to deliver the best exchange rates across multiple blockchains. Unique to Odos is its multi-token input feature, which allows users to swap multiple tokens in a single transaction. The platform is developed by Semiotic Labs, a team focused on AI, cryptography, and Web3 optimization, with expertise in The Graph protocol and autonomous decision-making technologies.

The Reality

There was insufficient validation of user inputs and inadequate handling of external contract calls, especially with pre-compiled contracts and complex contract functionalities like ERC-6492.

New features added to the Odos Protocol smart contract were not properly audited.

What Happened

On January 23, 2025, a vulnerability in Odos Protocol's Limit Order Contracts was exploited, allowing an attacker to steal approximately $50,000 by bypassing signature checks using a pre-compiled contract.

Key Event Timeline - ODOS Protocol Audited Executor Validation Vulnerability
Date Event Description
January 23rd, 2025 9:55:49 AM MST Malicious Base Transaction The malicious transaction occurs on the Base blockchain.
January 23rd, 2025 10:54:00 PM MST Odos Protocol Tweet Update Odos Protocol posts a tweet to inform the community that all user funds are safe following a recent security incident involving their Limit Order contracts. The exploit, which targeted a vulnerability in their audited executor contract, did not compromise any user funds but accessed revenue stored within the contract. The team has resolved the issue by working with auditing partners to update and deploy new contracts and routers. Odos Protocol reassures users that no action is needed from them and emphasizes their commitment to transparency, security, and user protection.

Technical Details

The attack was made possible by an arbitrary call vulnerability due to insufficient input validation within the contract’s logic. This allowed the attacker to bypass signature verification mechanisms and execute malicious transactions. The attacker deployed a malicious contract and exploited the victim contract to manipulate the system, draining funds from Odos' contracts.

The root cause of the exploit was insufficient validation of user inputs, improper handling of contract functionalities, and an unchecked use of precompile contracts. To prevent such exploits, it was recommended that Odos implement better input validation, enhance signature verification, and introduce reentrancy guards to limit interactions with external contracts. Post-attack, Odos took swift action to address the issue. QuillAudits, a renowned audit firm, emphasized the importance of rigorous security audits to prevent such vulnerabilities and safeguard projects in the Web3 space.

The attack was caused by an arbitrary call vulnerability, where unverified user input was combined with a pre-compiled contract to bypass the signature check. The attacker used the pre-compiled 0x4 Identity contract to bypass the signature check and successfully steal tokens. The exploit occurred because the contract’s signature validation mechanism could be bypassed using this pre-compiled contract, which allowed the attacker to execute malicious transactions without triggering the usual security checks.

Total Amount Lost

Losses were estimated by SlowMist at $100,000.

According to QuillAudits, a "series of coordinated attacks resulted in a cumulative loss of approximately $50,000."

The total amount lost has been estimated at $50,000 USD.

Immediate Reactions

How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?

Ultimate Outcome

"TL;DR: All user funds are safe. The exploit has been addressed, and no action is needed from users. Your trust and security remain our top priorities."

"Today we discovered a malicious attack on our Limit Order contracts. It’s important to highlight that no user funds were compromised during this attack and the exploit has been resolved."

"The attack exploited a vulnerability in our audited executor contract, accessing revenue stored within the contract but not any user funds."

"We’ve worked with our auditing partners to re-verify the updated contracts and deployed them along with new routers to eliminate the exploit."

"We’re deeply grateful for the trust you’ve placed in Odos and remain committed to transparency, security, and user protection."

Total Amount Recovered

There do not appear to have been any funds recovered in this case.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

General Prevention Policies

The incident underscores the importance of validating all user inputs and being cautious with external contract calls, especially when using pre-compiled contracts or handling contract code lengths. The attack highlights the risks of not properly verifying signature checks, especially when using complex contract functionalities like ERC-6492. It is advised that protocols using such features undergo thorough security audits, not only for initial releases but also for any new features added, to avoid introducing similar vulnerabilities.

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. Odos Protocol - "All user funds are safe. The exploit has been addressed, and no action is needed from users. Your trust and security remain our top priorities." - Twitter/X (Accessed Mar 12, 2025)
  2. Odos Protocol Linktree (Accessed Mar 12, 2025)
  3. Odos Protocol Homepage (Accessed Mar 12, 2025)
  4. Odos Protocol About Section (Accessed Mar 12, 2025)
  5. What Went Wrong With Odos Protocol? - Quill Audits (Accessed Mar 12, 2025)
  6. The Malicious Base Transaction - Blocksec (Accessed Mar 12, 2025)
  7. Limit Orders - Odos - Halborn Audit (Accessed Mar 12, 2025)
  8. ERC-6492 Deployment Vulnerability: Leveraging isValidSignature Bypass via Pre-compiled contract - VeriChains (Accessed Mar 12, 2025)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=ODOS_Protocol_Audited_Executor_Validation_Vulnerability&oldid=6621"