Predy Finance Contract Callback Vulnerability

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from an original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Predy Finance Logo/Homepage

Predy Finance offers a new decentralized exchange experience with minimal trading fees, and also features a lending pool. A vulnerability existed where a callback to a malicious contract could bypass certain checks designed to prevent funds being drained. The funds were drained by exploiting this vulnerability. The contract was patched and the smart contract is working on an audit.[1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16][17][18]

About Predy Finance

"ZERO GAS EXPERIENCE PERP AND SWAP DEX New Trade experience with the Intent-Based Perpetual and Swap DEX. Maximise your profit and minimise your loss."

"Intent-based architecture has realised to smash the gas fee away." "To maximise your profit effectively, leverage upto x50 available." "Exact, specific and safe orders for your positions."

"Experience seamless token swaps like never before with our revolutionary platform, where every swaps is not just smooth but also gas fee-free. Say goodbye to costly transaction fees and hello to effortless trading. Unlock a world of convenience and savings in the exciting realm of decentralized finance."

"Step into the world of perpetual trading where opportunities are limitless. Harness the power of leverages and set your own terms with limit orders, enabling you to amplify your gains while managing risk effectively. Join us today and explore a dynamic landscape where every trade holds the potential for unprecedented growth and success."

"Predy is a mechanism that allows efficient on-chain trading of delta and gamma. It enables perpetual futures and Squart (to be explained later) trading for all pairs that exist on Uniswap. There is no need to specifically provide liquidity for perps and options; having a Uniswap pool is sufficient.

Predy consists of a lending pool called PredyPool and market contracts such as PerpMarket and GammaMarket. By creating new market contracts, new exchanges can be defined. The lending pool, being a place where funds are concentrated, is a highly targeted spot, and it is impractical to redevelop the lending pool repeatedly. Therefore, the design allows for defining orders and products by adding new market contracts without making changes to the lending pool.

Squart (Square Root of Perpetual) is a perpetual future that tracks the square root of the price. Unlike standard options or perpetual options, Squart does not have a strike price. However, similar to options, it carries gamma exposure. This feature helps address the issue of liquidity fragmentation in gamma trading. Additionally, Squart is fully backed by the LP positions in Uniswap V3 Pools."

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

  • When the service was actually started (if different than the "official story").
  • Who actually ran a service and their own personal history.
  • How the service was structured behind the scenes. (For example, there was no "trading bot".)
  • Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

"The decentralized exchange Predy Finance on the Arbitrum chain was attacked, resulting in the loss of $464k worth of crypto assets from its lending pool."

Key Event Timeline - Predy Finance Contract Callback Vulnerability
Date Event Description
March 29th, 2024 Smart Contract Deployed The attacker's smart contract is deployed.
May 14th, 2024 1:41:28 AM MDT Attack Transaction The attack transaction on the Predy Finance smart contract.
May 14th, 2024 4:22:00 AM MDT SlowMist Technical Analysis The SlowMist team announces potential suspicious activity and provies a technical analysis of what happened.
May 14th, 2024 5:29:00 AM MDT Revoke Request The team recommends revoking their smart contract, even though they don't believe there is any theft of funds outside the lending pool.
May 14th, 2024 9:37:00 AM MDT Predy Finance Reply Predy Finance responds to SlowMist to indicate that the situation is under investigation.
May 14th, 2024 9:07:00 PM MDT Message To Hacker The Predy Finance team announces that they have sent a message to the hacker, providing Ethereum and Arbitrum transaction hashes.
May 15th, 2024 12:03:00 AM MDT Predy Finance Tweet "What was attacked was the Lending pool. If there is a small amount of Position left at the time of the attack, that Position is in a state where it cannot be closed, We are currently scrutinizing that balance to see if it exists."
May 16th, 2024 8:11:45 AM MDT Postmortem Published Predy Finance publishes a post-mortem on Medium and links this through Twitter.
May 17th, 2024 12:26:00 AM MDT Predy Finance Thanks Predy Finance gives public thanks to "everyone" with special mention of 7HypernativeLabs.
May 17th, 2024 12:34:00 AM MDT Message To Hacker The Predy Finance team announces that they have sent a message to the hacker, providing Ethereum and Arbitrum transaction hashes.
May 24th, 2024 2:06:00 PM MDT Audit Contest Announcement The Predy Finance team announces that they are launching an audit contest with $100,000 in prizes for any vulnerabilities found.

Technical Details

"The attacker deployed a contract for the attack. This was deployed on Mar-29–2024. All subsequent steps were executed from this Attacker Contract."

"Predy Pool manages the liquidity of currencies. This is used to apply leverage when creating positions in Predy. Anyone can add new currency pairs. Before the attack, Predy had the following two pairs:

pair id 1 : pair of Bridged USDC and Wrapped ETH pair id 2 : pair of Native USDC and Wrapped ETH The Attacker Contract created a new pair, pair id 3. This is a pair of Native USDC and Wrapped ETH, similar to pair id 2.

pair id 3: pair of Native USDC and Wrapped ETH

In Predy, creating the same pair is not an issue by design. However, the pair creator can restrict the contracts that trade with the pair. Therefore, the Attacker Contract does not have the authority to trade with existing pairs. Below is the line that restricts trading authority."

"Thus, the Attacker Contract created a new pair. nAt this stage, the Attacker Contract only created the new pair and did not provide funds."

"In the newly created pair id 3, the Attacker Contract has the authority, so the trade function can be executed. The Attacker Contract calls the trade function specifying pair id 3 of Predy Pool. Within this, `TradeLogic.trade` is called, and then `TradeLogic.callTradeAfterCallback` is called. And within this, `AttackerContract.predyTradeAfterCallback` is called.

This was implemented to call the predyTradeAfterCallback of Predy’s MarketContract. A mutex is used for the trade function call, so the trade function cannot be called again within the predyTradeAfterCallback function."

"However, here the take function can be called to obtain liquidity from Predy Pool or the supply function to provide liquidity. This is necessary to utilize liquidity within the trade function."

"Within the predyTradeAfterCallback of the Attacker Contract, When the `PredyPool.take` function is called specifying the amount of USDC in Predy Pool, this amount is transferred to the Attacker Contract. This amount is the same as the amount existing in pair id 2. The Attacker Contract then calls `PredyPool.supply`, supplying the amount of USDC obtained by the take function to pair id 3. The same was done for Wrapped ETH.

Finally, a difference check is performed before and after the trade process within the Pool."

"Since the assets in the Pool simply moved from pair id 2 to pair id 3, there is no difference in the amounts within the pool. Therefore, the trade function call from the Attacker Contract was judged as a normal transaction."

"The state where the Attacker Contract has supplied funds to pair id 3 remains in Predy Pool. The Attacker Contract executed the withdraw function and obtained funds from the created pair.

The funds withdrawn in this manner are 219,585.737814 USDC and 83.9 WETH."

"This issue was caused by the unintended use of a callback, which we could not discover before deployment. We have already stopped the Contract, so there will be no further damage. Countermeasures are already under consideration, and we will ensure a secure state to provide it to everyone safely. Resuming operations are considered at an appropriate time after undergoing an audit. updates will be provided as soon as details are finalized."

Total Amount Lost

"The funds withdrawn in this manner are 219,585.737814 USDC and 83.9 WETH."

The total amount lost has been estimated at $464,000 USD.

Immediate Reactions

How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?

Ultimate Outcome

"We would like to remark that we do appreciate everyone, including Twitter (X) and Discord, who shared various opinions on this Attack, especially @HypernativeLabs. Thank you so much for all your support"

Total Amount Recovered

There do not appear to have been any funds recovered in this case.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. @SlowMist_Team Twitter (Jun 5, 2024)
  2. @predyfinance Twitter (Jun 5, 2024)
  3. @predyfinance Twitter (Jun 5, 2024)
  4. Ethereum Transaction Hash (Txhash) Details | Etherscan (Jun 5, 2024)
  5. Arbitrum Transaction Hash (Txhash) Details | Arbiscan (Jun 5, 2024)
  6. Arbitrum Transaction Hash (Txhash) Details | Arbiscan (Jun 5, 2024)
  7. Predy Finance | Perp and Swap DEX (Jun 5, 2024)
  8. Welcome to Predy V6 | Predy V6 (Jun 5, 2024)
  9. @predyfinance Twitter (Jun 5, 2024)
  10. @predyfinance Twitter (Jun 5, 2024)
  11. @predyfinance Twitter (Jun 5, 2024)
  12. Postmortem Report on The Details of The Events of May 14 2024 (Jun 5, 2024)
  13. @predyfinance Twitter (Jun 5, 2024)
  14. @predyfinance Twitter (Jun 5, 2024)
  15. @predyfinance Twitter (Jun 5, 2024)
  16. @predyfinance Twitter (Jun 5, 2024)
  17. @predyfinance Twitter (Jun 5, 2024)
  18. @predyfinance Twitter (Jun 5, 2024)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Predy_Finance_Contract_Callback_Vulnerability&oldid=6009"