Spectra Finance Routing Utility Command Exploit

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from an original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Spectra Finance Logo/Homepage

Spectra is a decentralized interest rate derivatives protocol. Users can use the service obtain a fixed rate loan, trade yield, or earn a return on their liquidity. An unfortunate vulnerability allowed tokens to be stolen from users who signed a particular variant of withdrawal transaction, due to a vulnerability in the routing utility. Multiple protocol users were tricked into signing such a transaction and lost their assets. [1][2][3][4][5][6][7][8][9][10][11][12][13]

About Spectra Finance

"Fix Rates, Trade Yield, Earn On Your Liquidity or Build Apps"

"Individual to organisation. Basic strategy to advanced. Spectra helps you connect the dots."

"Spectra is an EVM-centric protocol for interest rate derivatives with an easy-to-use flagship app.

The Spectra protocol is permissionless, meaning its services are entirely open for public use. Anyone can create new markets at will, swap yield derivatives, or become a liquidity provider."

"Spectra is a decentralized interest rate derivatives protocol with different entities and individuals contributing to its development and adoption.

Spectra Protocol: A decentralized, permissionless interest rate protocol that permanently exists on the Ethereum Virtual Machine.

The Spectra App: a flagship interface that allows easy interactions with the Spectra protocol. Multiple protocol interfaces can exist.

Spectra Governance: A governance system for governing the Spectra Protocol, enabled by the APW token."

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

  • When the service was actually started (if different than the "official story").
  • Who actually ran a service and their own personal history.
  • How the service was structured behind the scenes. (For example, there was no "trading bot".)
  • Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

"DeFi protocol Spectra suffered an attack, resulting in a loss of approximately $550,000."

Key Event Timeline - Spectra Finance Routing Utility Command Exploit
Date Event Description
June 5th, 2024 7:54:00 AM MDT Launch Announcement The Spectra Finance application is brought live and promoted on Twitter.
July 17th, 2024 9:19:23 PM MDT Attack Contract Created The attack contract is created on the blockchain.
July 23rd, 2024 9:11:11 AM MDT First Victim Exploited The attack transaction which is involved in exploiting the first victim of this attack.
July 23rd, 2024 12:16:00 PM MDT Spectra Finance Tweet The Spectra Finance team tweets an update that there was a coordinated attack against the applications user interface.
July 23rd, 2024 2:02:35 PM MDT TornadoCash Transfers The attacker starts to route the resulting funds through TornadoCash.
July 23rd, 2024 4:03:23 PM MDT On Chain Message To Attacker An on-chain message to the attacker offers them a 10% bounty and amnesty if they return the remaining funds. There is a threat of the 10% bounty applying to their capture if they do not return the funds withing a July 26th deadline.
July 24th, 2024 4:55:56 AM MDT Post Mortem Published Spectra Finance publishes a post-mortem on Medium to outline the events which happened as part of the breach.

Technical Details

"A suspicious Discord user, believed to be the attacker, started making false claims about issues with Spectra's YT token contracts to prompt users to withdraw funds. Those who attempted to withdraw were required to approve the transaction first, making them vulnerable to the attack."

"The incident resulted from the exploitation of a command in the routing utility contract. This command allowed Spectra users to enter and exit the pool with a token of their choice. After prompting users to leave the pool the attacker exploited the command in order to sweep funds once a user unknowingly approved the transaction on the router."


Total Amount Lost

"The attacker managed to hijack user transactions, resulting in a loss of around 168 ETH. The attack occurred on Ethereum Mainnet."

The total amount lost has been estimated at $550,000 USD.

Immediate Reactions

"Upon identifying the attack vector, [the Spectra] team promptly activated an incident response plan, disabling the Spectra App and terminating router contracts that enabled the attacker to hijack transactions.

As a precaution, Principal Token contracts were paused, preventing token exchanges at Curve's pool level (Spectra's primary AMM). The contracts were unpaused at approximately 9 PM UTC the very same day."

The Spectra "team’s swift reaction enabled [them] to limit the effects as a total of 4 wallets were impacted."

"Spectra has disabled the application and terminated the router contract to contain the situation, while the core protocol contract remains unaffected. Security personnel Chaofan Shou indicated that the attack stemmed from an arbitrary call in the router contract, allowing the attacker to drain all tokens approved by the contract."

Ultimate Outcome

"On July 24th, Spectra released a security incident analysis report, stating that the attacker hijacked user transactions on Spectra, affecting a total of 4 wallets and causing a loss of approximately 168 ETH. The core protocol contract of Spectra remains unaffected, with the funds within the contract secure. The application was restored on the morning of July 24th."

"The Spectra App has been disabled and router contracts terminated to contain a coordinated attack on our users' interactions with the app.

The attack began today around 3 PM UTC and affected some users depositing and withdrawing from the app.

The situation is under control, the core protocol contracts are not affected and the funds inside them are safe.

The works are in full steam to reinstate the Spectra App and release a post-mortem as soon as possible."

Total Amount Recovered

There do not appear to have been any funds recovered in this case.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. SlowMist Hacked - SlowMist Zone (Accessed Aug 30, 2024)
  2. @spectra_finance Twitter (Accessed Aug 30, 2024)
  3. @spectra_finance Twitter (Accessed Aug 30, 2024)
  4. Spectra - Open Interest Rate Derivatives Protocol (Accessed Aug 30, 2024)
  5. Spectra Overview | Spectra (Accessed Aug 30, 2024)
  6. @spectra_finance Twitter (Accessed Aug 30, 2024)
  7. 23 July 2024 Incident Post-Mortem — Spectra (Accessed Aug 30, 2024)
  8. Address 0x53635bf7b92b9512f6de0eb7450b26d5d1ad9a4c | Etherscan (Accessed Aug 30, 2024)
  9. Ethereum Transaction Hash (Txhash) Details | Etherscan (Accessed Aug 30, 2024)
  10. Ethereum Transaction Hash (Txhash) Details | Etherscan (Accessed Aug 30, 2024)
  11. @spectra_finance Twitter (Accessed Aug 30, 2024)
  12. Ethereum Transaction Hash (Txhash) Details | Etherscan (Accessed Aug 30, 2024)
  13. Ethereum Transaction Hash (Txhash) Details | Etherscan (Accessed Aug 30, 2024)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Spectra_Finance_Routing_Utility_Command_Exploit&oldid=6297"