Shezmu Unbacked Collateral Vulnerability

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from an original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Shezmu Logo/Homepage

Shezmu has a series of smart contracts, one of which is a collateralized stablecoin. Due to a vulnerability introduced on September 3rd, it was possible to mint some of these stablecoin units without having actual collateral to back them. This was exploited several times on September 20th, which drained a total of $4.9m worth of liquidity from the protocol. The protocol managed to negotiate with all of the attackers successfully, 10% for most and 20% for one of them. There are plans to rebuild the protocol and restore what was lost.[1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16][17][18][19][20][21][22][23][24][25]

About Shezmu

"Shezmu introduces a groundbreaking hybrid Collateralized Debt Position (CDP) platform that innovatively combines the capabilities of both NFTs and Yield-Bearing Tokens. Our platform allows users to borrow against both NFTs and Yield-Bearing Tokens, providing unparalleled flexibility and liquidity in the digital asset space. In addition to the core CDP functionality, our project offers a suite of utilities designed to enhance user experience and asset value."

"Users can use their NFTs and Yield-Bearing Tokens as collateral to secure loans, unlocking liquidity without relinquishing ownership of their valuable digital assets."

"Oasis supports a wide array of both NFTs and Yield-Bearing Tokens, ensuring users can maximize their assets' potential."

The Reality

"Shezmu failed to scrutinize their September 3rd contract upgrade, leaving the door wide open for an enterprising hacker."

"One of their vaults used collateral that can be minted by anyone. With the free collateral, the attacker can borrow an arbitrary amount of $ShezUSD."

What Happened

"On September 20th, Shezmu found itself in the crosshairs of an opportunistic hacker who had stumbled upon a critical flaw - a vault accepting collateral that could be minted by anyone." "With this vulnerability, the attacker managed to borrow an arbitrary amount of ShezUSD, draining millions from the protocol."

Key Event Timeline - Shezmu Unbacked Collateral Vulnerability
Date Event Description
September 2nd, 2024 6:48:11 PM MDT Smart Contract Updated The Shezmu smart contract is updated with inadequate scrutiny being applied, leaving open a vulnerability which could be exploited.
September 20th, 2024 2:31:00 PM MDT Chaofan Shou Tweet Chaofan Shou is one of the first to tweet and highlight the vulnerability, which has just been exploited.
September 20th, 2024 2:55:00 PM MDT Shezmu Twitter Announcement Shezmu posts on Twitter to acknowledge the exploit and reassure their users. They "are looking into the cause of the exploit, and will post a bounty and contact relevant authorities, as well as a post mortem".
September 20th, 2024 4:23:35 PM MDT Shezmu Reach Out To Hacker Shezmu reaches out to the hacker and offers a 10% bounty in exchange for them returning the rest of the funds.
September 20th, 2024 4:44:35 PM MDT Attack Contract Created The creation of one of the attack smart contracts, as reported by Ancilia, Inc.
September 20th, 2024 4:55:47 PM MDT Attack Transaction Executed One of the attack transactions, as reported by Ancilia, Inc.
September 20th, 2024 6:49:11 PM MDT Return Of 282.18 WETH 282.18 wrapped ETH are returned to the Shezmu team.
September 20th, 2024 7:37:00 PM MDT Return Of Funds Announced The return of the 282.18 ethereum is announced on Twitter along with the transaction ID.
September 20th, 2024 7:41:00 PM MDT Ancilia Inc. Tweet One Attack Ancilia Inc. posts a tweet with one of the attack transactions and smart contracts included.
September 20th, 2024 8:15:47 PM MDT Hacker Response Asking 20% "Hi there - thanks for reaching out. Sure we can talk about the refund, but only considering 20% as bounty. btw I have no problem with that KYC."
September 20th, 2024 8:20:59 PM MDT Acceptance Of Hacker Deal The hacker's deal offering a 20% bounty is accepted. The return address is provided.
September 20th, 2024 9:06:23 PM MDT Return Of 9346 DAI 9,346 DAI is returned by the hacker.
September 20th, 2024 9:19:23 PM MDT Confirmation Of 9346 DAI The team confirms receipt of 9346 DAI from the hacker but still seems to be requesting more funds to be returned.
September 20th, 2024 9:22:47 PM MDT Return Of 137 WETH 137 wrapped ETH are returned to the Shezmu team.
September 20th, 2024 9:47:00 PM MDT Return Of Funds Announced The return of the funds is announced on Twitter by the Shezmu team.
September 21st, 2024 8:56:35 AM MDT Return Of 214 ETH 214 ETH are returned to the Shezmu team.
September 21st, 2024 9:27:00 AM MDT Announcement Of Funds Returned Shezmu announces they've "successfully recovered the remaining funds (minus white hat bounties) and are working on a full post-mortem and recovery plan. Over the next few days, we’ll release details on our plan to ensure Curve, Balancer, and Beefy LPs are made whole."
September 22nd, 2024 3:48:00 PM MDT Roadmap Provided On Twitter The Shezmu team provides a roadmap on Twitter.

Technical Details

This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?

Total Amount Lost

The total amount lost has been estimated at $4,900,000 USD.

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

Immediate Reactions

"@ShezmuTech has been hacked / rugged. ~$4.9M worth of $ShezUSD stolen."

"Due to low liquidity, these $4.9M worth of $ShezUSD are swapped to only $700K."

"One of the ShezUSD vaults has been exploited. Please refrain from interacting with the dApp until further notice.

We are looking into the cause of the exploit, and will post a bounty and contact relevant authorities, as well as a post mortem."

Ultimate Outcome

"Yet, in a move that would make even the most seasoned poker players sweat, Shezmu called the hacker's bluff.

They laid their cards on the table: return the funds for a 10% bounty and walk away scot-free, or face the full force of the law within 24 hours.

The hacker, unfazed, countered with a demand for 20%.

In a game of crypto chicken, Shezmu blinked first, agreeing to the 20% bounty."

"The Shezmu team is offering a 10% bounty of the exploited funds, provided that the remaining funds are returned within the next 24 hours. If the funds are not refunded within this time frame, we will escalate the matter through legal channels."

"We’ve successfully recovered the remaining funds (minus white hat bounties) and are working on a full post-mortem and recovery plan. Over the next few days, we’ll release details on our plan to ensure Curve, Balancer, and Beefy LPs are made whole.

We would also like to give massive thank you's to both @shoucccc for bringing this to our attention quickly and @ZachXBT who has helped us swiftly locate exchanges tied to wallets, contacted etherscan to flag wallets, and assisting in applying pressure to those who held the funds.

Additionally, we would like to thank our community for supporting us through these troubled times, it means the world to us. Together we will come back stronger, together we are $SHEZMU."

"Over the coming days, here’s what you can expect as part of our comprehensive recovery and reimbursement plan:

1. Snapshot of Impacted LPs: A snapshot of all Beefy, Curve, Balancer, and Aura LPs holding ShezUSD and ShezETH paired assets will be taken to assess the impact and ensure accurate reimbursement.

2. Airdrop of Recovered Funds: Affected LPs will receive an airdrop of the recovered funds from the white hat, which covers over 80% of the lost liquidity. This airdrop will be distributed in the coming days.

3. Debt Tokens to Cover Remaining Losses: To cover the remaining 20% of losses, impacted LPs will be issued debt tokens based on the snapshot. These tokens will represent the outstanding value and will be repaid through protocol fees from interest, bonds, claims, and options executions, as well as treasury and protocol-owned collateral.

4. Balancer ShezETH Pool Recovery Mode: The Balancer ShezETH pool will enter recovery mode once ShezETH is unpaused , enabling proportional withdrawals for LPs, deposits and swaps are disabled in this mode.

5. Following the completion of reimbursements, a full post-mortem and detailed peg restoration plan will be released. This will outline the steps taken to secure the protocol moving forward and ensure the stability of ShezUSD and ShezETH.

We appreciate your continued support and will keep the community updated with each step of the recovery. Our goal is to ensure the safe return of funds and restore confidence in Shezmu."

A bounty of $490,000 USD was paid for the discovery.

Total Amount Recovered

The total amount recovered has been estimated at $4,410,000 USD.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. SlowMist Hacked - SlowMist Zone (Accessed Sep 23, 2024)
  2. Rekt - Shezmu - Rekt (Accessed Sep 23, 2024)
  3. @shoucccc Twitter (Accessed Sep 23, 2024)
  4. 0xf68a65993bbd543a03 | Phalcon Explorer (Accessed Sep 23, 2024)
  5. Shezmu | Leveraging Yield (Accessed Sep 23, 2024)
  6. Abstract | Shezmu (Accessed Sep 23, 2024)
  7. @ShezmuTech Twitter (Accessed Sep 23, 2024)
  8. https://etherscan.io/idm?addresses=0x2604c6b2e0cf38e5ba66b2a5dd93461740d1dbee,0xfaf2484adf637837001404ff95716de1fc3b4331&type=1 (Accessed Sep 23, 2024)
  9. Ethereum Transaction Hash (Txhash) Details | Etherscan (Accessed Sep 23, 2024)
  10. Ethereum Transaction Hash (Txhash) Details | Etherscan (Accessed Sep 23, 2024)
  11. Ethereum Transaction Hash (Txhash) Details | Etherscan (Accessed Sep 23, 2024)
  12. @ShezmuTech Twitter (Accessed Sep 23, 2024)
  13. Ethereum Transaction Hash (Txhash) Details | Etherscan (Accessed Sep 23, 2024)
  14. Ethereum Transaction Hash (Txhash) Details | Etherscan (Accessed Sep 23, 2024)
  15. Ethereum Transaction Hash (Txhash) Details | Etherscan (Accessed Sep 23, 2024)
  16. Ethereum Transaction Hash (Txhash) Details | Etherscan (Accessed Sep 23, 2024)
  17. @ShezmuTech Twitter (Accessed Sep 23, 2024)
  18. @ShezmuTech Twitter (Accessed Sep 23, 2024)
  19. Ethereum Transaction Hash (Txhash) Details | Etherscan (Accessed Sep 23, 2024)
  20. @ShezmuTech Twitter (Accessed Sep 23, 2024)
  21. @ShezmuTech Twitter (Accessed Sep 23, 2024)
  22. Ethereum Transaction Hash (Txhash) Details | Etherscan (Accessed Sep 23, 2024)
  23. @AnciliaInc Twitter (Accessed Sep 23, 2024)
  24. Ethereum Transaction Hash (Txhash) Details | Etherscan (Accessed Sep 23, 2024)
  25. Address 0xfaf2484adf637837001404ff95716de1fc3b4331 | Etherscan (Accessed Sep 23, 2024)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Shezmu_Unbacked_Collateral_Vulnerability&oldid=6141"