Ref Finance Logic Error

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' and 'General Prevention' sections to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Ref Finance

Ref Finance offers a variety of products and services on the NEAR protocol. After releasing a "hotfix" to their protocol, a vulnerability was introduced which allowed for the theft of a significant amount of NEAR and REF tokens from their smart contract hot wallet. The REF token was forked to eliminate the stolen tokens, and the NEAR appears to have been recovered from the Binance and Huobi platforms.

It appears that all affected users were ultimately made whole again.

This is a global/international case not involving a specific country.[1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16][17][18][19][20]

About Ref Finance

"Swap exchanges the first selected token with the second selected token. The pools with the highest available liquidity and the lowest exchange fee will be used."

"Ref Finance is one of the core projects in the DeFi ecosystem on NEAR Protocol. Its main objective is to bring together the core components of DeFi, namely, decentralized exchange (DEX), lending protocol, synthetic asset issuer, and so on, into a single, synchronous DeFi platform. Leveraging NEAR’s 1-2 second finality, low costs, as well as its user-friendly and interoperable infrastructure, Ref aims to bring DeFi one step closer to the people."

"Ref is first and foremost a community project. A DAO has been created to allow the community to direct its course. The DAO will be responsible for managing the treasury initially, and shortly thereafter, managing upgrades of the protocol."

"Ref Finance is a collection of DeFi protocols, powered by smart contracts on NEAR, that enable trading and earning by providing liquidity and other financial use cases in the future. Currently, its main product is the automated market maker decentralized exchange (AMM DEX)."

"Ref Finance's AMM DEX enables permissionsless and automated trading between any native NEAR or bridged token through liquidity pools managed by smart contracts."

"On August 14 at around 11am UTC (block 45195764), our dev team deployed a hotfix to an issue surrounding the Ref Finance contracts. Prior to the fix, users that unstaked all of their tokens from the farm contract were unable to remove the deposited liquidity from the pool. This occurred due to the users’ NEAR account being unregistered from the LP token contract, a feature unique to NEAR tokens that generally aids the user experience."

"Shortly after the bug was deployed in block 45195764, around 1 million REF we’re withdrawn from the exchange contracts. This represents 40% of the total circulating supply of REF."

"At around 2pm UTC, the Ref core team noticed unusual behavior with the REF-NEAR pair." "While the hotfix solved [the unstaking] issue, it contained a new issue that did not debit users’ LP token balances when they removed liquidity. This allowed a small number of users to continuously remove tokens, receiving far more tokens than they should have."

"An investigation quickly identified a bug in a recently deployed hotfix to the farming contract, which unfortunately was exploited by several users." "We have determined up to 1,000,000 REF and 580,000 NEAR were affected." "In total, 507,000 NEAR and ~1 million REF tokens were withdrawn using this exploit."

"The Ref UI was taken down, and the" "contracts were immediately paused by the core team to prevent further exploits, and we have coordinated with exchanges to block the accounts involved in the incident." "The Ref team notified Binance and Huobi to pause the exploiters accounts, which they did." "We will keep the contracts paused for 48 hours while we implement the fix and ensure everything is safe."

"The #RefFinance website is undergoing system maintenance but will be back better than ever on August 21st 7:00 UTC!" "The Ref exchange will be redeployed ASAP, and will become usable again via the UI and contracts."

"The Ref team determined users’ non-REF balances before the exploit, and proposed a full reimbursement of the funds using existing Ref balances and DAO funds." "After these initial steps were taken, reimbursements for affected users were issued. A plan was also created to bring Ref back online and make it more secure." "All user funds held in Ref [were] distributed back to users. [The team published] the balances within 24 hours, and begin distributions ASAP (no action required). This [included] full balances for all tokens, except REF."

"If you control one of [the] accounts [with stolen funds], please reach out to us to return the funds via Twitter DM or Telegram @refdev. We will provide you with a generous bug bounty." "If the REF is not returned within 48 hours, we will pursue other options, such as forking the token contract and removing the offending accounts."

"So far, only 250,000 REF has been returned. Rather than wait for the remaining REF to be returned, we propose forking the REF token."

"The DAO will vote on how to handle REF. Most likely, REF will be forked using the balances from before the exploit. The new token would assume the place of the official REF token (whitelisted, liquidity rewards, governance) in the Ref ecosystem."

"Here is the proposal to fork REF token using snapshot from block 45195764. Please review and comment." "We are currently adding a new fork for $REF. Once completed, all $REF token will be airdropped Parachute back to the corresponding wallet addresses. All non-$REF tokens have been securely returned to their original wallets."

"The new REF token will be exactly the same as the current REF token, with the balances restored to those in block 45195764, during which the bug was introduced. Holders of REF during this time will receive the new REF tokens directly to their accounts, with no action required on their part."

"This will effectively undo all behavior after the snapshot. The vast majority of activity occurring with REF after this time was related to the exploit. However, there may be a small number of accounts with legitimate behavior affected."

"The new REF token will inherit all current and future attributes of the old REF token, including as the whitelisted token within the Ref exchange, as the primary liquidity incentive for the platform, and as the eventual governance token."

"The DAO will burn the 97.5% of the old REF supply it controls." "To support the new REF token, the DAO will create the new REF - NEAR pair and add liquidity to it. Liquidity will be added at the REF price prior to the exploit. The DAO currently has around 265,000 NEAR, not including the NEAR that is expected to be recovered from the exploit."

"As 1 million of $REF was improperly withdrawn, the community DAO voted to fork the $REF token and create Ref Finance v2 using the balances from block 45195764. This $REF was distributed on August 25th, and whitelisted on the redeployed Ref exchange." "[T]he ticker w[ill] remain “REF”." "The new $REF token assumes all uses of the original token, and will be treated as the only $REF token by us and our partners."

"Over 400,000 of the NEAR were sent to Binance and Huobi." "We have filed reports with local law enforcement, and these accounts have been identified and blocked at exchanges." "We've filed police reports in several jurisdictions, and are working with them and exchanges to have any exploited funds returned. We are confident they will be." "If you control any of these accounts, please reach out to return the funds. You will receive a bug bounty for helping us identify this issue!" "Thank you @binance @HuobiGlobal to work us in the first place to lock stolen funds."

"Many users have already received their tokens, and the rest will receive them by the end of the day tomorrow." "Reimbursements for all $REF tokens were processed within 3 days, after the DAO voted to reimburse the lost NEAR with funds from the DAO." "The new REF token distribution is complete." "There were in total 2,490,506.894 REF token distributed to all users' corresponding NEAR wallets. You should see it as the token with the black background as below." "The remaining 9493.106 REF token that belong to the attackers, who have not yet returned the stolen fund are burned. The current REF total supply becomes 9,990,506.894 REF."

"In addition, the Ref website and dApp were fixed, stress tested, and brought back online on Saturday, August 22. The new contracts went live on v2.ref-finance.near simultaneously." "The contracts have been rigorously tested. We will publish more details, including audit timelines (underway) very shortly."

"A huge thank you to our community for your patience. As promised, the $REF smart contract Newspaper was redeployed on the MainNet on Aug 21 w/the MainNet testing. [Ref Finance] will be officially re-launched at 12am (UTC) on Aug 23."

"We will implement a rigorous security program. This will include testing plans, audit plans and rules, and a bug bounty program with payouts of $25k+ for severe issues." "Security is our number one priority going forward."

"Any contract changes will have robust test suites created for them, including simulation tests. Additionally, we will test changes for a minimum of one week (usually much longer) manually with community partners." "A comprehensive audit was in progress before the exploit, and will soon be complete and published." "Our core team is very strong, but also small. We are hiring across the board, including engineers, designers, product, community, and more!" "We retained an admin key for a short period of time to allow our dev team to move quickly. This was never intended to be for long, and we will be transferring control of the contracts to the DAO to keep our promise to the community of being a decentralized project."

"We deeply apologize to the entire community for this." "Ref is back online now!" "Pls note that the slippage on some pools may be a bit high as some liquidity hasn't returned to normal levels, but you can add to them now! Farming rewards coming very soon!"

"Ref has been back online for just over a week, and liquidity is quickly returning. The $REF — $NEAR pair is at nearly $2M in liquidity, with $SKYWARD — $NEAR close behind (and $OCT rising quickly!)."

"We are wholeheartedly committed to setting things right again and ensuring that Ref can be a trustworthy and reliable project for our NEAR community." "No action is required from users, and we will reimburse IN FULL any permanently lost funds." "No action will be required from REF holders or LPs to receive the new token, and the original REF will of course still exist." "These are still just the first steps to restoring confidence in Ref, and we will work tirelessly to deliver the project this community deserves!"

This is a global/international case not involving a specific country.

The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.

Include:

  • Known history of when and how the service was started.
  • What problems does the company or service claim to solve?
  • What marketing materials were used by the firm or business?
  • Audits performed, and excerpts that may have been included.
  • Business registration documents shown (fake or legitimate).
  • How were people recruited to participate?
  • Public warnings and announcements prior to the event.

Don't Include:

  • Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
  • Anything that wasn't reasonably knowable at the time of the event.

There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

  • When the service was actually started (if different than the "official story").
  • Who actually ran a service and their own personal history.
  • How the service was structured behind the scenes. (For example, there was no "trading bot".)
  • Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.

Key Event Timeline - Ref Finance Logic Error
Date Event Description
August 14th, 2021 Main Event Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here.

Technical Details

This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?

Total Amount Lost

The total amount lost has been estimated at $3,200,000 USD.

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

Immediate Reactions

How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?

Ultimate Outcome

What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?

Total Amount Recovered

There do not appear to have been any funds recovered in this case.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

General Prevention Policies

Many of the measures that Ref has undertaken such as audits and bug bounties will greatly reduce the risk of future exploits, however the central issue is that all funds are in a hot system. The most secure setup would store unused funds in a multi-signature cold storage wallet held by trusted and trained operators. This could be combining with a smart contract insurance protocol or self insurance for the remaining funds.

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. blocksec-incidents/2021.md at main · openblocksec/blocksec-incidents · GitHub (Aug 11, 2021)
  2. @finance_ref Twitter (Aug 29, 2021)
  3. Ref Finance (Sep 15, 2021)
  4. Introduction - Ref Finance (Sep 15, 2021)
  5. @finance_ref Twitter (Sep 27, 2021)
  6. @finance_ref Twitter (Sep 27, 2021)
  7. @finance_ref Twitter (Sep 27, 2021)
  8. @finance_ref Twitter (Sep 27, 2021)
  9. @finance_ref Twitter (Sep 27, 2021)
  10. @finance_ref Twitter (Sep 27, 2021)
  11. @finance_ref Twitter (Sep 27, 2021)
  12. @finance_ref Twitter (Sep 27, 2021)
  13. @finance_ref Twitter (Sep 27, 2021)
  14. @finance_ref Twitter (Sep 27, 2021)
  15. @finance_ref Twitter (Sep 27, 2021)
  16. @finance_ref Twitter (Sep 27, 2021)
  17. A Post-Mortem On The Ref Finance Exploit What Happened? | by Ref Finance | Medium (Sep 27, 2021)
  18. Fork REF token using snapshot from block 45195764 - Ref Finance (Sep 27, 2021)
  19. Ref Finance Payouts - Google Sheets (Sep 27, 2021)
  20. Ref.Finance came under attack, about 1 million Ref and 580,000 NEAR were affected - 律动BlockBeats (Sep 27, 2021)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Ref_Finance_Logic_Error&oldid=4081"