Superfluid Wallet Impersonation
Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Superfluid offers an innovative way for entities to continually stream payments, settling recurring and continual payments without multiple transactions being required. Despite multiple audits, an exploit still existed in the smart contract hot wallet which allowed the attacker to impersonate paying entities and create payment flows to themselves, stealing a total of $8.7m. The attacker successfully mixed funds with TornadoCash, however 10% of funds (and 80% of users) were reimbursed by the team. The project continues after launching a bug bounty and most recently sponsoring a hackathon.
About Superfluid
"Discover Programmable Cashflows. Handle subscriptions, salaries, rewards and any composable stream of value, with continuous settlement and per-second netting for extreme capital efficiency."
"Superfluid is a smart contract framework on L1 Ethereum, enabling you to move assets on-chain following predefined rules called agreements. With a single on-chain transaction, the money will flow from your wallet to the receiver in real time! No further transactions required- it works like magic."
"Superfluid is a new token standard, with the power to describe cashflows, and execute them automatically on chain over time in a non-interactive way."
"Superfluid flows are programmable, composable and modular. Our first cashflow types allow constant streams of value, and one-to-many distributions."
"All flows are settled at the same time, based on block timestamps. This makes it possible to net inflows and outflows, increasing capital efficiency."
"Despite the new lingo, Superfluid looks to be a foundational programmable money application on public blockchain. Currently, it may be targeting the crypto world, but the real-world business application potential is massive." Kyle Semani of Multicoin Capital, which led the funding round, wrote that Superfluid “represents the biggest step forwards in value transfer since the advent of Bitcoin.”
"Think about salary payments, particularly for people who often need to resort to payday loans. What if you could pay them hourly? With Superfluid that’s entirely possible. It lets you open a “stream” where you set a rate over a period of time, say $15/hour. It converts that into a per-second amount and can continuously stream that amount to the recipient’s wallet. Sure, people don’t work 24 hours a day, but you get the idea." "Because it’s programmable money, the recipient could also set up a stream to use the incoming salary payment, maybe to pay their rent if their landlord has a wallet."
“Things like subscriptions have never taken off in crypto, while in Web 2 every online business is a subscription business. Money streaming is futuristic and aligned with crypto ethos, and can help the crypto native economy to flourish.”
"Prior to the attack, Superfluid’s contracts were peer-reviewed by several users and advisors to the project, as well as audited by Peckshield."
The Reality
"Superfluid.sol, known as the host contract, is the contract that allows composable Superfluid agreements (ConstantFlowAgreement, InstantDistributionAgreement) in one single transaction, and the composed systems are often called Super Apps."
"However, in order to have a trusted and shared state through the entire transaction between different agreement calls, a concept called “ctx” (a serialized state managed by the host contract) is introduced. The “ctx” contains all the context an agreement function needs to know, that includes especially who is the “msg.sender” of the initial call."
"That’s where an unfortunate vulnerability was exploited. The attacker was able to skillfully craft the calldata such that the process of serialization in the host contract and succeeding de-serialization in the agreement contract resulted in the agreement contract operating on a context object forged specifically to impersonate other accounts. This mechanism was used in order to create IDA indexes “on behalf” of other accounts and move out their tokens that way."
"The problem was that as in the exploiting function deleteAnyFlowBad, one can inject a fake ctx. After being merged into one bytes object by Superfluid.replacePlaceholderCtx (the Host doesn’t make any assumptions about agreement specific data), the resulting dataWithCtx now contains 2 ctx variants, the legitimate one and the injected one. When the agreement contract decodes this data, the abi decoder takes the first (injected) variant and ignores the remaining data which contains the legitimate ctx."
At 6.48am GMT, the QiDAO team was notified of a potential exploit in their vesting contract that utilizes Superfluid code. They Users are advised to exercise caution and refrain from interacting with Superfluid smart contracts until further notice.[8]
As a precautionary measure, users are encouraged to unwrap all their SuperTokens, as the attackers may be targeting wallets or contracts with large amounts. Instructions on how to unwrap tokens can be found on the Superfluid Dashboard.[8]
The engineering team has identified a vulnerability that was exploited on the Polygon network. A patch has been deployed, and a post mortem report detailing the vulnerability and attack dynamics will be released soon.[8]
The focus now shifts to recovering the funds of affected users. The team acknowledges that the stolen funds impact many web3 users and builders and is offering a $1 million security bounty to the attacker if they return the stolen funds.[8]
The detailed post mortem report and an invitation for the hacker to return the funds can be found for further information[8].
What Happened
"On February 8, 2022, an attacker exploited Superfluid’s host contract by passing in faulty calldata, which allowed them to create distribution indexes spoofing several different accounts that held Super-tokens. This vulnerability enabled the attacker to move funds from Superfluid user wallets to exchanges on Polygon and swap to ETH."
| Date | Event | Description |
|---|---|---|
| February 7th, 2022 11:17:04 PM MST | Polygon Hacking Transaction | The blockchain transaction exploits the contract[9]. |
| February 8th, 2022 1:35:00 AM MST | Vulnerability Announcement Tweet | SuperFluid reports becoming away of the vulnerability[8] and that they are currently investigating the incident and will provide updates through their Discord server and a dedicated thread. The community is instructed to "exercise caution and avoid interactions with Superfluid smart contracts until further notice." |
| February 9th, 2022 4:53:00 AM MST | Rekt Article Published | Information is shared to Rekt[10][11]. |
| February 10th, 2022 8:35:00 AM MST | ETHDenver | Tweet shared[12]. |
| February 10th, 2022 9:24:00 AM MST | ImmuneFi Bug Bounty Program | Superfluid announces the launch of their ImmuneFi bug bounty program on Twitter[13]. They are offering up to $200k for exploits which are found[14]. |
Technical Details
"On February 8, 2022, an attacker exploited Superfluid’s host contract by passing in faulty calldata, which allowed them to create distribution indexes spoofing several different accounts that held Super-tokens. This vulnerability enabled the attacker to move funds from Superfluid user wallets to exchanges on Polygon and swap to ETH."
"Superfluid.sol, known as the host contract, is the contract that allows composable Superfluid agreements (ConstantFlowAgreement, InstantDistributionAgreement) in one single transaction, and the composed systems are often called Super Apps."
"However, in order to have a trusted and shared state through the entire transaction between different agreement calls, a concept called “ctx” (a serialized state managed by the host contract) is introduced. The “ctx” contains all the context an agreement function needs to know, that includes especially who is the “msg.sender” of the initial call."
"That’s where an unfortunate vulnerability was exploited. The attacker was able to skillfully craft the calldata such that the process of serialization in the host contract and succeeding de-serialization in the agreement contract resulted in the agreement contract operating on a context object forged specifically to impersonate other accounts. This mechanism was used in order to create IDA indexes “on behalf” of other accounts and move out their tokens that way."
"The problem was that as in the exploiting function deleteAnyFlowBad, one can inject a fake ctx. After being merged into one bytes object by Superfluid.replacePlaceholderCtx (the Host doesn’t make any assumptions about agreement specific data), the resulting dataWithCtx now contains 2 ctx variants, the legitimate one and the injected one. When the agreement contract decodes this data, the abi decoder takes the first (injected) variant and ignores the remaining data which contains the legitimate ctx."
"In total, 11’008 MATIC, 1’507’931 MOCA, 28 ETH, 39’357 sdam3CRV, 19’387’874 QI, 44’581 SDT, 23’653 STACK and 562’834 USDC were stolen by the attacker." "$8.7M drained from Superfluid. The crypto streaming protocol was exploited by an anonymous attacker, causing collateral damage to several other DAO's."
Total Amount Lost
The total amount lost has been estimated at $8,700,000 USD.
"In total, 11’008 MATIC, 1’507’931 MOCA, 28 ETH, 39’357 sdam3CRV, 19’387’874 QI, 44’581 SDT, 23’653 STACK and 562’834 USDC were stolen by the attacker." "$8.7M drained from Superfluid. The crypto streaming protocol was exploited by an anonymous attacker, causing collateral damage to several other DAO's."
Immediate Reactions
Superfluid Announcement on Twitter
Today at 6.48am GMT we were notified of a potential exploit of the QiDAO vesting contract that leverages Superfluid code. We are investigating the incident and will keep you updated in this thread and our Discord server.
Please do exercise caution and avoid interactions with Superfluid smart contracts until further notice.
We are investigating a potential protocol layer exploit. As precaution, please do unwrap all your SuperTokens. The attackers might be targeting wallets/contracts with large amounts.
More info on how to unwrap tokens from our Dashboard can be found here: https://help.superfluid.finance/en/articles/4602102-how-to-unwrap
During the incident investigation our engineering team has identified a vulnerability which was exploited this morning on the Polygon network, a patch has now been deployed. A post mortem of the vulnerability and attack dynamics will follow soon.
Our efforts will now be focused on recovering the affected user funds. If you executed this attack, we want you to know the funds you have stolen affect many web3 users and builders, just like yourself.
We are offering a $1M security bounty if you return all the stolen funds.
Please find here the detailed Post Mortem and a renewed invite for the hacker to return the stolen funds.
"When the development team was first notified of the attack at 6:48 am UTC, after gathering more information and identifying the vulnerability, the decision was made to execute a protocol update which temporarily blocked all agreement invocations. This was done in order to make sure that no further funds could be drained. One hour and a half later, another protocol upgrade containing the actual mitigation was deployed."
"At the time of writing, over 2700 ETH is sitting in the attacker’s wallet, as well as 500’000 MOCA. The wallet is being monitored. Forensic researchers were engaged to attempt to track down the attacker."
"[T]he attack is over and the vulnerability has been patched. There are no additional funds at risk. There are no indications of any other vulnerabilities or attack vectors in the system."
"The attacker was offered a $1M bounty for the safe return of the funds. The offer remains on the table."
Ultimate Outcome
"While we are still hoping the attacker will return the funds (we’ve offered a 1M$ bug bounty), they have so far not responded. We will do everything in our power to retrieve these funds, and to this end we’re engaging experienced forensic experts to track down the address. It wouldn’t be the first time a Tornado Cash address is de-anonymized."
"As part of our broader plan to shield the Superfluid Protocol users against malicious actors and enhance the overall security of its smart contracts, today we are launching a Bug Bounty program to reward white hat hackers and developers for discovering and reporting bugs in the Superfluid smart contracts codebase." "[W]e are designing a formal bug bounty program that will launch on February 15th, 2022." "This program will offer a reward up to $200,000 for vulnerabilities classified as “critical”, where there is a direct theft of any user funds, or any permanent freezing of funds."
"After discussions with impacted parties, a compensation plan was developed." "As of now, in less than 18 hours from the attack, we have already recapitalized 80% of the affected addresses through a direct transfer of USDC. The remaining 20% represents more than 90% of the funds stolen, in particular the larger losses suffered by the QI and MOCA teams. After consulting with these teams, we have agreed on a longer term compensation plan which takes into account the range of available options given the entirety of circumstances, including financial considerations. We are grateful these projects fully understand and appreciate our position."
Superfluid Bug Bounty Via ImmuneFi
Superfluid announces the launch of their ImmuneFi bug bounty program on Twitter[13]. They are offering up to $200k for exploits which are found.
Total Amount Recovered
The total amount recovered has been estimated at $870,000 USD.
Ongoing Developments
TBD
General Prevention Policies
Unfortunately this project placed all funds in smart contract hot wallets, when it would have worked just as well if the hot wallets were periodically funded from a cold storage multi-sig wallet. As we already know, even audited smart contract hot wallets can be vulnerable to exploits. A good partnership could create an insurance fund to cover any future losses.
Individual Prevention Policies
While the Superfluid project was reviewed by several advisors, only one audit was performed. Multiple audits could increase the certainty of catching problems.
Avoid the use of smart contracts unless necessary. Minimize the level of exposure by removing or withdrawing assets whenever possible. Aim to choose smart contracts which have obtained third party security audits, preferably having been audited by at least three separate reputable firms. Pay attention to the audit reports, which smart contracts are covered, and whether the smart contract has been upgraded or modified since the report. Ensure that any administrative functions with the ability to remove funds from the smart contract are under the authority of a multi-signature wallet which is controlled by at least three separate and reputable entities.
Store the majority of funds offline. By offline, it means that the private key and/or seed phrase is exclusively held by you and not connected to any networked device. Examples of offline storage include paper wallets (seed phrase or key written down and deleted from all electronic media), hardware wallets, steel wallet devices, etc...
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
Funds lost could be minimized through the establishment of a multi-signature wallet, which holds any funds in excess of a reasonable limit for the smart contract. This minimizes the amount of funds that could be subject to theft via a vulnerability.
All wallets, minting functions, and critical infrastructure should be implemented with a multi-signature requirement, with a recommended minimum of 3 signatures required. This means that making important changes or approving spending will require the keys held by at least 3 separate individuals within the organization to approve. The multi-signature should be implemented at the lowest layer possible, all key holders should have security training, and all key holders should be empowered and encouraged to exercise diligence.
While the Superfluid project was reviewed by several advisors, only one audit was performed. Multiple audits could increase the certainty of catching problems.
All aspects of any platform should undergo a regular validation/inspection by experts. This validation should include a security audit of any smart contracts, reporting any risks to the backing (of any customer assets, ensuring treasuries or minting functions are properly secured under the control of a multi-signature wallet, and finding any inadequacies in the level of training or integrity of the team. The recommended interval is twice prior to launch or significant system upgrade, once after 3 months, and every 6 months thereafter. It is recommended that the third party performing the inspection not be repeated within a 14 month period.
Finally, an industry insurance fund could be available to assist users.
Work with other industry platforms to set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
While the Superfluid project was reviewed by several advisors, only one audit was performed. Multiple audits could increase the certainty of catching problems.
All platforms should undergo published security and risk assessments by independent third parties. Two assessments are required at founding or major upgrade, one after 3 months, and one every 6 months thereafter. The third parties must not repeat within the past 14 months. A risk assessment needs to include what assets back customer deposits and the risk of default from any third parties being lent to. The security assessment must include ensuring a proper multi-signature wallet, and that all signatories are properly trained. Assessments must be performed on social media, databases, and DNS security.
The establishment of an insurance fund could assist with both the selection of competent validators, and having funds available to assist any affected users.
Set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services within the country, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ https://www.superfluid.finance/home (Feb 21, 2022)
- ↑ What is Superfluid? - Superfluid (Feb 22, 2022)
- ↑ Superfluid raises $9m for crypto programmable money with novel business potential - Ledger Insights - enterprise blockchain (Feb 22, 2022)
- ↑ Superfluid Sponsoring Ethernals 2022 Hackathon (Feb 22, 2022)
- ↑ Ethereum-based money streaming protocol Superfluid raises $9 million (Feb 22, 2022)
- ↑ Superfluid Raises $9M for a New Take on Streaming Payments - CoinDesk (Feb 22, 2022)
- ↑ https://icodrops.com/superfluid/ (Feb 22, 2022)
- ↑ 8.0 8.1 8.2 8.3 8.4 8.5 8.6 Superfluid - "Today at 6.48am GMT we were notified of a potential exploit of the QiDAO vesting contract that leverages Superfluid code. We are investigating the incident and will keep you updated in this thread and our Discord server." - Twitter (Feb 22, 2022)
- ↑ 9.0 9.1 Polygon Transaction Hash (Txhash) Details | PolygonScan (Feb 22, 2022)
- ↑ RektHQ - "$8.7M drained from @Superfluid_HQ. The crypto streaming protocol was exploited, causing collateral damage to several other DAO's. Superfluid have offered a $1M bounty. Will the attacker return the funds, or leave Superfluid high and dry?" - Twitter (Jul 13, 2023)
- ↑ 11.0 11.1 Rekt - Superfluid - REKT (Feb 18, 2022)
- ↑ Superfluid - "Join us today in Discord for a brainstorming & team formation session for @EthereumDenver!" - Twitter (Feb 22, 2022)
- ↑ 13.0 13.1 Superfluid - "As part of our multi-pronged approach to enhance the security of Superfluid Protocol, we are launching a comprehensive Bug Bounty program with @immunefi." - Twitter (Feb 22, 2022)
- ↑ Launching Superfluid Bug Bounty Program With Immunefi - Superfluid Medium (Feb 22, 2022)