Dot Finance Minting Vulnerability

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' and 'General Prevention' sections to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Dot Finance

Dot Finance offers an innovative yield farm. Despite two audits, their smart contract still suffered from a minting vulnerability. Their platform token dropped in value as the additional tokens were sold. There is no mention of the breach on their social media or website. It's unclear if anything was done to address it.

This is a global/international case not involving a specific country.[1][2][3][4][5][6][7][8][9][10][11]

About Dot Finance

"DeFi Aggregator for the Polkadot Ecosystem. Maximize your returns with innovative yield optimization strategies." "Dot.Finance was developed to spur Polkadot’s growth trajectory by reducing barriers to participation while maximizing the performance and efficiency of assets and tokens that are deployed to different DeFi products."

"Dot.Finance is designed to bring DeFi to a wide range of users and will help increase user exposure to the many benefits of the Polkadot ecosystem. This will help grow adoption of not just the Polkadot framework but the many new DeFi products and services that Dot.Finance is building on top of Polkadot’s safe, secure, and resilient architecture."

"To use Dot.Finance farms you must have the farm's LP (liquidity Pool) token from PancakeSwap (PCS) - also known as "Flip" tokens. To get LP tokens you must provide liquidity for it's pool on PCS with it's underlying tokens. e.g. for the DOT-BNB LP token, you need DOT and BNB tokens."

"Starting from Aug 25, 2021, 09:06:30 AM UTC," "Dot Finance, the DeFi protocol on the BSC chain, was attacked by flash loans."

"The ultimate goal behind these attacks is to manipulate profit used by performanceFee for calculating the minting amount. We can trace back this attack chain simply by looking at mintFor functions." "amountPinkToMint() function takes contribution which is calculated from the value of asset and _performanceFee. The manipulated profit can be clearly seen by debugging function calls associated with the transaction."

Attack process: "(1) Hackers use PancakeSwap flash loan to obtain initial funds of 100 Cake tokens. (2) By inserting Cake tokens into the VaultPinkBNB contract, the getReward function can be used to obtain the real value of the Cake tokens of the contract. At the same time, the performanceFee parameter is greatly affected by the real value of Cake tokens. (3) Finally, the mintFor function uses the affected performanceFee parameters to mint a large amount of pink tokens to reward hackers."

"We suspect that this flaw might be inherited by forking other platform codes without properly eradicating or remediating the root cause. With the condition that the TVL of the affected pool must be very low, an attacker has to act fast to initiate a profitable attack."

"[I]ts value dropped by nearly 35%."

This is a global/international case not involving a specific country.

The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.

Include:

  • Known history of when and how the service was started.
  • What problems does the company or service claim to solve?
  • What marketing materials were used by the firm or business?
  • Audits performed, and excerpts that may have been included.
  • Business registration documents shown (fake or legitimate).
  • How were people recruited to participate?
  • Public warnings and announcements prior to the event.

Don't Include:

  • Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
  • Anything that wasn't reasonably knowable at the time of the event.

There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

  • When the service was actually started (if different than the "official story").
  • Who actually ran a service and their own personal history.
  • How the service was structured behind the scenes. (For example, there was no "trading bot".)
  • Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.

Key Event Timeline - Dot Finance Minting Vulnerability
Date Event Description
August 25th, 2021 Main Event Expand this into a brief description of what happened and the impact. If multiple lines are necessary, add them here.

Technical Details

This section includes specific detailed technical analysis of any security breaches which happened. What specific software vulnerabilities contributed to the problem and how were they exploited?

Total Amount Lost

The total amount lost has been estimated at $429,000 USD.

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

Immediate Reactions

How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?

Ultimate Outcome

What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?

Total Amount Recovered

There do not appear to have been any funds recovered in this case.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

General Prevention Policies

Complex smart contracts can generally not be considered secure, however one method of mitigation might be to ensure that the minting always involves a multi-sig of trusted team members. To reduce burdens, tokens can get minted only with multi-sig approval, and sit in the smart contract hot wallet, from which they are distributed. This prevents additional minting and provides an upper cap to the possible breach.

Typical methods of dealing with a breach are to launch a second token and provide it to the original affected users based on what they had prior to the breach. This requires special care for situations where tokens were bought or sold after the breach.

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. blocksec-incidents/2021.md at main · openblocksec/blocksec-incidents · GitHub (Aug 11, 2021)
  2. https://medium.com/@Knownsec_Blockchain_Lab/knowsec-blockchain-lab-dot-finance-flash-loan-security-incident-analysis-98f7b5707a15 (Sep 19, 2021)
  3. Collection Of Insecure Ways For Mint Amount Calculation Dot Finance Incident Analysis (Sep 19, 2021)
  4. Address 0xDFD78a977c08221822F6699AD933869Da6d9720C | BscScan (Oct 7, 2021)
  5. Contract Address 0x33f9bB37d60Fa6424230e6Cf11b2d47Db424C879 | BscScan (Oct 7, 2021)
  6. Binance Transaction Hash (Txhash) Details | BscScan (Oct 7, 2021)
  7. Contract Address 0xfc3920bcffb412e2686e76c194cd8935bd651a90 | BscScan (Oct 7, 2021)
  8. Dot Finance | Experience the future of DeFi (Oct 7, 2021)
  9. https://firebasestorage.googleapis.com/v0/b/gitbook-28427.appspot.com/o/assets%2F-M_CaMTpZw2UU5MkRroL%2F-MkmjS4unVTrNdyKejYh%2F-MkmkrxKRXI2J2DEVzvT%2FDOTFinance%20SC%20Audit%20-%20Hacken.pdf?alt=media&token=19fb215c-d8a2-496b-893c-ceea2206f903 (Oct 7, 2021)
  10. https://docs.dot.finance/ (Oct 7, 2021)
  11. https://docs.dot.finance/guides/how-to-guide (Oct 7, 2021)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Dot_Finance_Minting_Vulnerability&oldid=4199"