RigoBlock Missing Access Controls
Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!
RigoBlock had an exploit on their smart contract hot wallet, where the access controls had not been set up properly. The protocol was exploited and 160.86 ETH was taken. The attacker later returned 90% of the funds, keeping the remaining 10% as a bounty. The returned funds are anticipated to be redistributed to affected users.
This is a global/international case not involving a specific country. [1][2][3]
About RigoBlock
"Organizing the World’s Value. RigoBlock is an open protocol that makes token management universally accessible." "RigoBlock describes itself as an open standard for asset/token management built on existing blockchains. It was founded in 2016 by Gabriele Rigo in Lugano, Switzerland. It has been live since November 2018 on the Ethereum main network."
"RigoBlock is a blockchain protocol that makes it possible for anyone to set up and run a digital token pool. It is an open protocol which developers can use for building their own applications for token management."
The Reality
The RigoBlock Dragos smart contract contained a vulnerability with an exposed function. The function was intended to be private for protocol administrators, but was set up so that anyone could access and use it.
Smart Contract Vulnerability
"In RigoBlock Dragos, all versions as of 2022-02-17 and later (until a major protocol update is accomplished) contain an exposed function (CWE-749), specifically setMultipleAllowances() which was not set to onlyOwner. The setMultipleAllowances() function can be to manipulate tokens with the contract."
"Ref: CWE-749: Exposed Dangerous Method or Function. The software provides an Applications Programming Interface (API) or similar interface for interaction with external actors, but the interface includes a dangerous method or function that is not properly restricted."
What Happened
The RigoBlock Dragos smart contract was exploited using the setMultipleAllowances function, which had public access enabled. The attacker made off with an estimated $464k USD.
| Date | Event | Description |
|---|---|---|
| February 17th, 2022 7:26:00 AM MST | Main Event | Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here. |
| February 17th, 2022 9:40:00 AM MST | Announcement By RigoBlock | RigoBlock announces about the exploit[8]. |
| February 20th, 2022 2:04:00 AM MST | Funds Returned By Attacker | RigoBlocks reports that the attacker has now returned 90% of the funds, keeping 10% as a bounty[9]. |
| February 22nd, 2022 7:53:39 PM MST | SlowMist Post About Attack | SlowMist reports that "RigoBlock has been hacked[10]. All tokens in Dragos except ETH and USDT are at risk due to protocol vulnerabilities being exploited. The hacker, Whitehat, has returned funds to the affected RigoBlock pool, leaving only 10% of the bug bounty reward...." This hack is also shared to Opera News[11]. |
Technical Details
"On February 17, 2022 RigoBlock lost $464K due to the missing access control on a function controlling token allowances."
"In RigoBlock Dragos, all versions as of 2022-02-17 and later (until a major protocol update is accomplished) contain an exposed function (CWE-749), specifically setMultipleAllowances() which was not set to onlyOwner. The setMultipleAllowances() function can be to manipulate tokens with the contract."
"Ref: CWE-749: Exposed Dangerous Method or Function. The software provides an Applications Programming Interface (API) or similar interface for interaction with external actors, but the interface includes a dangerous method or function that is not properly restricted."
Total Amount Lost
The total amount lost has been estimated at $464,000 USD.
Immediate Reactions
RigoBlock has been hacked. All tokens in Dragos but ETH and USDT are at risk due to an exploited protocol vulnerability. The fix will require a major protocol upgrade, please don’t use RigoBlock.
Purchases and sales of RigoBlock pools is safe, everyone looking to withdraw their own funds can do that without risk.
It is not safe for pool operators, within their RigoBlock pools, to swapping ETH for tokens or holding tokens
"RigoBlock has been hacked. All tokens in Dragos except ETH and USDT are at risk due to protocol vulnerabilities being exploited. The hacker, Whitehat, has returned funds to the affected RigoBlock pool, leaving only 10% of the bug bounty reward."
"Purchases and sales of RigoBlock pools is safe, everyone looking to withdraw their own funds can do that without risk."
Ultimate Outcome
A bounty of $46,000 USD was paid for the discovery.
"UPDATE: whitehat has returned recovered funds to the affected RigoBlock pool, minus a 10% bug bounty reward." "We have contacted @ethermine_org regarding the remaining funds which were part of the whitehat frontrun transaction." "After the situation in cleared up, treasury funds will be used to compensate the affected RigoBlock pools for their loss."
Total Amount Recovered
The total amount recovered has been estimated at $418,000 USD.
"UPDATE: whitehat has returned recovered funds to the affected RigoBlock pool, minus a 10% bug bounty reward." "We have contacted @ethermine_org regarding the remaining funds which were part of the whitehat frontrun transaction." "After the situation in cleared up, treasury funds will be used to compensate the affected RigoBlock pools for their loss."
Ongoing Developments
TBD
Individual Prevention Policies
This case does not appear to have resulted in a loss to any individual. Funds were ultimately returned by the attacker.
Individuals can avoid losing their funds to similar exploits by greater diligence in ensuring that smart contract which they use have been properly audited.
Avoid the use of smart contracts unless necessary. Minimize the level of exposure by removing or withdrawing assets whenever possible. Aim to choose smart contracts which have obtained third party security audits, preferably having been audited by at least three separate reputable firms. Pay attention to the audit reports, which smart contracts are covered, and whether the smart contract has been upgraded or modified since the report. Ensure that any administrative functions with the ability to remove funds from the smart contract are under the authority of a multi-signature wallet which is controlled by at least three separate and reputable entities.
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
The primary issue was related to a lack of validation. Ensuring that smart contracts are reviewed by multiple independent third party smart contract auditors can help reduce the possibility that similar exploits are undetected. This particular type of issue where a function is public is very easy to uncover in a review.
All aspects of any platform should undergo a regular validation/inspection by experts. This validation should include a security audit of any smart contracts, reporting any risks to the backing (of any customer assets, ensuring treasuries or minting functions are properly secured under the control of a multi-signature wallet, and finding any inadequacies in the level of training or integrity of the team. The recommended interval is twice prior to launch or significant system upgrade, once after 3 months, and every 6 months thereafter. It is recommended that the third party performing the inspection not be repeated within a 14 month period.
In the event that an exploit goes undetected, an industry insurance fund can assist. The industry insurance fund can also assist with ensuring that validators are effective.
Work with other industry platforms to set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
The primary issue was related to a lack of validation. Ensuring that smart contracts are reviewed by multiple independent third party smart contract auditors can help reduce the possibility that similar exploits are undetected. This particular type of issue where a function is public is very easy to uncover in a review.
All platforms should undergo published security and risk assessments by independent third parties. Two assessments are required at founding or major upgrade, one after 3 months, and one every 6 months thereafter. The third parties must not repeat within the past 14 months. A risk assessment needs to include what assets back customer deposits and the risk of default from any third parties being lent to. The security assessment must include ensuring a proper multi-signature wallet, and that all signatories are properly trained. Assessments must be performed on social media, databases, and DNS security.
In the event that an exploit goes undetected, an industry insurance fund can assist. The industry insurance fund can also assist with ensuring that validators are effective.
Set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services within the country, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ @danielvf Twitter (Mar 11, 2022)
- ↑ https://www.blockthreat.io/p/blockthreat-week-7-2022 (Mar 11, 2022)
- ↑ CVE-2022-25335 – About RigoBlock Dragos design weakness (23rd Feb 2022) | Cyber security technical information (Mar 11, 2022)
- ↑ RigoBlock | Decentralized Token Management (Mar 10, 2022)
- ↑ rigoblock video - YouTube (Mar 10, 2022)
- ↑ https://cryptobuyingtips.com/guides/how-to-buy-rigoblock-grg (Mar 11, 2022)
- ↑ Decentralized Asset Management Platform RigoBlock 2nd Month Birthday : CryptoCurrency (Mar 11, 2022)
- ↑ 8.0 8.1 RigoBlock - "RigoBlock has been hacked. All tokens in Dragos but ETH and USDT are at risk due to an exploited protocol vulnerability. The fix will require a major protocol upgrade, please don’t use RigoBlock." - Twitter (Mar 10, 2022)
- ↑ RigoBlock - "UPDATE: whitehat has returned recovered funds to the affected RigoBlock pool, minus a 10% bug bounty reward" - Twitter (Mar 11, 2022)
- ↑ SlowMist Hacked - SlowMist Zone (Jun 26, 2021)
- ↑ RigoBlock suffers 160.86 ETH loss by Contract vulnerabilities - Opera News (Mar 11, 2022)
- ↑ https://etherscan.io/tx/0x5a6c108d5a729be2011cd47590583a04444d4e7c85cd0427071b968edc3bfc1f (Mar 11, 2022)
- ↑ https://twitter.com/danielvf/status/1494317265835147272 (Jul 11, 2023)