Academy

SSO Module 2 - Smart Contract Vulnerabilities: A Deep Dive into Reentrancy Attacks

Smart contracts offer transparency but bear risks. This article uncovers vulnerabilities like Reentrancy, with DAO's $150M loss as a case. Integer Overflow led to BeautyChain's $900M setback. DAOMaker lost $4M due to Access Control flaws. FlashLoan Attacks saw Harves Finance lose $38M.

Markos Mebellis

5 min read
SSO Module 2 - Smart Contract Vulnerabilities: A Deep Dive into Reentrancy Attacks

Smart contracts are revolutionizing global industries with their efficiency, transparency, and immutable features. Yet, their open and automated design also exposes them to risks. To maximize their potential while minimizing threats, it's vital to grasp their vulnerabilities and possible attack avenues. Crafting and maintaining these contracts demands careful attention and adherence to best practices. This article delves into common vulnerabilities, illustrating them with real-world cases to enhance comprehension. Let's look at the following article, courtesy of Salus Security.

Key Vulnerabilities:

Reentrancy:Here, attackers exploit a gap, reentering functions before key operations complete or values are updated.

Single-Function Reentrancy: This occurs when a contract interacts with a rogue contract, permitting the latter to reenter a function. For instance, malicious contracts can continuously reenter the 'withdrawBalance' function, siphoning more ether before balances are updated.

Notable Attacks:

  • The DAO (2016): After raising $150 million, it was hacked due to coding vulnerabilities. This led to a split in the Ethereum network.
  • PolyDex (2021): Lost $500k due to a reentrancy attack on the PLX Locker Smart Contract.
  • Bacon Protocol (2022): Suffered a $1M loss from a reentrancy bug in the lend() function.
  • Lendf.Me (2020): Lost roughly $24.7 million across multiple cryptocurrencies.

Cross-Function Reentrancy:Arises from shared states between different functions and poor reentry protection. The 'balances' example above indicates that despite 'withdrawAll' having protection, attackers can still exploit the 'transfer' function.

Infamous Incidents:

  • DFX Finance (2022): Lost over $7 million due to an attack exploiting a function without reentrancy protection.
  • Hundred Finance (2022): Lost around $6.5 million after a reentrancy attack exploited the borrowFresh function.
  • Fei Protocol (2022): Lost about $80 million from an attack leveraging a Reentrancy loophole.

Cross-Contract Reentrancy:Results from shared states across different contracts and wrong variable modification sequences. Even if functions have protection, other functions, like 'burnAccount', can still be exploited.

Prominent Attacks:

  • Rari Capital (2021): Lost approximately $10 million (~2600 ETH) in under an hour.
  • ValueDefi (2021): Lost 5345.314 WBNB due to invalid share calculations, which relied on external data.

Read-Only Reentrancy:

Read-only reentrancy exploits a function that, though not altering the contract's state, can still produce erroneous outputs when the state isn't consistent.

Noteworthy Attacks:

  • QuickSwap (2022): Exploiters misused a flash loan to tweak the asset spot price, swindling 138 ETH and 700 MATIC tokens. This was possible due to a flaw in Curve LP oracle.
  • dForce (2023): A read-only reentrancy bug was in the code accessing price oracles on the Arbitrum and Optimism chains with Curve Finance.
  • Sentimente (2023): An attack, exploiting a read-only reentrancy flaw, led to a $1 million theft. Luckily, 90% was returned by the perpetrator.
  • Sturdy (2023): Lost approximately 442 ETH due to a Balancer's read-only reentrancy issue where B-stETH-STABLE's price got tampered.

Reentrancy Vulnerability Prevention:

  1. Always adhere to the check-effect-interaction pattern.
  2. Employ re-entry protection for all sensitive operations.
  3. Handle every external call meticulously.

Integer Overflow:

When calculations surpass limits, they overflow, often leading to either minuscule or mammoth values.

Illustrative Attacks:

  • BeautyChain (2018): Attackers grabbed 10^58 BECs through an integer overflow, offloading a staggering $900 million.
  • Poolz (2023): Resulted in a loss of roughly $665,000 across Ethereum, Binance, and Polygon's on-chain.

Integer Overflow Countermeasures:

  1. Utilize safe calculation methods like the safeMath library.
  2. Prioritize bounds checking to ascertain results remain within range.
  3. Adopt the solidity compiler version 0.8.0 or later for inbuilt overflow detection.

Access Control:
Access control vulnerabilities arise from the absence of stringent access constraints on functions handling crucial operations.

  • Prominent Attacks:
  • DAOMaker (2021): A whopping ~$4M was siphoned off after the init function was left vulnerable.
  • GymNetwork (2022): Exploiters leveraged an authentication oversight in depositFromOtherContract(), facilitating illicit balance augmentation without any actual payment. The loss? About 2,475.91 WBNB.
  • Tempdao (2023): A lax approach to access control for the migrateStake function led to a loss exceeding $2.34 million.

Access Control Vulnerability

  • Description: Vulnerabilities that arise due to inadequate restriction mechanisms that govern access and privileges to specific operations within a system.

Prevention Measures:

  1. Strict Permission Check: Always enforce strict permission protocols for functions, especially those that handle sensitive operations.
  2. Multi-Signature Mechanism: For tasks that need joint decision-making, use multi-signature protocols that require multiple approvals before executing sensitive operations.

Common Attack Vectors

  • Description: Various methods or channels through which attackers exploit vulnerabilities in a system, primarily in smart contracts.

Notable Examples:

  • FlashLoan Attacks: Exploits the instantaneous borrowing feature of decentralized finance systems to execute malicious activities.
  • Front-Running: Attackers gain knowledge of another user's pending transaction and acts on it by offering a higher gas fee.

FlashLoan Attack

  • Description: While inherently not an attack, FlashLoan is a DeFi feature that lets users borrow substantial sums instantly without collateral. It's been exploited due to logical flaws in contract interactions and relationships.

Notable Attacks:

  1. Harves Finance (2020.10.26): Resulted in a $38 million loss.
  2. InverseFinance (2022.6.16): Led to a loss of 53.2445 WBTC and 99,976.29 USDT.
  3. NewFreeDAO (2022.9.8): Drained 4,481 WBNB, equivalent to roughly $1.25 million.
  4. Lodestar (2022.12.11): Exploited through oracle price manipulation.
  5. 0vix (2023.4.28): Resulted in a $2 million loss on the Polygon chain.

Prevention Recommendations:

  1. Recognize Flashloan characteristics during project development.
  2. For accurate price determination, use time-weighted averaging or multiple oracles.

Front-running

  • Description: An attacker gains knowledge of another user's transaction from the memPool and takes advantage of it by offering a higher gas fee.

Notable Attacks:

  1. Sushi Badger Digg (2021.1.25): Resulted in a loss of 81.68 ETH.
  2. Sushiswap Ape-ETH pool (2022.5.17): The attacker profited by approximately 0.3 ETH.
  3. Uniswap (2023.4.2): Caused around a $25 million loss through a sandwich attack.

Prevention Recommendations:

  1. Use slippage protection when trading.
  2. Execute trades during non-peak hours, especially in volatile markets.
  3. Employ FlashBot rpc by 1inch to send trades directly to miners, thus bypassing the memPool.

Summary

Congratulations! You finished Module 2 - Smart Contract Vulnerabilities: A Deep Dive into Reentrancy Attacks and Common Exploits

Let’s review your learnings:

Reentrancy Vulnerabilities - Attackers exploit gaps, reentering functions before they fully complete.

  • Single-Function Reentrancy: A rogue contract reenters a function in another contract.
  • Cross-Function Reentrancy: Shared states between different functions are exploited due to poor reentry protection.
  • Cross-Contract Reentrancy: Exploits shared states across different contracts.
  • Read-Only Reentrancy: Exploits a function producing erroneous outputs when the state isn't consistent.

Integer Overflow - Calculations surpassing set limits, resulting in extreme values.

Access Control Vulnerabilities - Arise from the absence of strict access constraints on essential functions.

Common Attack Vectors - Methods through which attackers exploit system vulnerabilities.

FlashLoan Attack - A DeFi feature allowing instant large borrowing without collateral but is exploited due to logical flaws.

Front-running Attack- Attackers gain knowledge of pending transactions and capitalize by offering higher gas fees.


This article was brought to you by: