On March 28, 2024, Prisma Finance suffered a flash loan attack, and the project lost approximately US$12.21 million.
SharkTeam conducted a technical analysis of this incident and summarized security precautions. We hope that subsequent projects can learn from this and jointly build a security defense line for the blockchain industry.
1. Prisma Finance attack transaction analysis
Attacker 1: 0x7e39e3b3ff7adef2613d5cc49558eab74b9a4202 (abbreviated as 0x 7 e 39)
Attack contract 1: 0xd996073019c74b2fb94ead236e32032405bc027c (abbreviated as 0x d 996)
Attacker 2: 0x7fe83f45e0f53651b3ed9650d2a2c67d8855e385
Attack contract 2: 0x4148310fe4544e82f176570c6c7b649290a90e17
Attacked target contract: 0x1cc79f3f47bfc060b6f761fcd1afc6d399a968b6
The attack contains 16 transactions, taking the first attack transaction as an example:
0x00c503b595946bccaea3d58025b5f9b3726177bbdc9674e634244135282116c7
The attack process is as follows:
1. Read all collateral and debt in the target contract at address 0x56a201b872b50bbdee0021ed4d1bb36359d291ed (abbreviated as 0x 56 a 2).
The return result is as follows:
Address 0x 56 a 2 The total collateral in the target contract is 1, 745 wstETH, and the total debt is 1, 442, 100 mkUSD.
2. The attacker 0x 7 e 39 calls the flashLoan function in the mkUSD debt contract by attacking the contract 0x d 996.
The parameter receiver is set to MigrateTroveZap, and amount is all the debt queried above.
Then, the onFlashLoan function in the receiver (here MigrateTroveZap) is called in the flashLoan function.
The onFlashLoan function first repays all original debts through flash loans, withdraws collateral to the receiver, and then the receiver re-mortgages a certain amount of collateral and borrows a certain amount of debt. There are mainly 2 functions called:
(1) closeTrove function, repay the debt and extract all collateral (1745.08 swtETH) from troverManager to receiver (here is the MigrateTroveZap contract);
(2) openTrove function, the receiver re-mortgages 463.18 wstETH into troverManager and incurs a debt of 1, 443, 598 mkUSD.
It can be seen from the above data that after the flashLoan function is executed, the receiver still retains the collateral extracted from the troverManager belonging to the address 0x 56 a 2, and the amount is approximately 1745.08 – 463.18 = 1281.90 wstETH.
3. Attacker 0x 7 e 39 borrowed 1 wstETH from Balancer through flash loan by attacking contract 0x d 996.
Then, mortgage 1 wstETH and borrow a debt of 2000 mkUSD, plus fees, for a total debt of 2200 mkUSD.
4. Similar to step 2, call the flashLoan function in the mkUSD debt contract. Here, the parameter receiver is still set to MigrateTroveZap, and the amount is the entire debt after the last pledge of 1 wstETH, which is 2000 mkUSD. In the FflashLoan function, the onFlashLoan function in the receiver is called, and then the closeTrove and openTrove functions are called.
However, the parameter account in the closeTrove and openTrove functions is no longer the address 0x 56 a 2 above, but the attack contract 0x d 996 that pledges 1 wstETH.
(1) closeTrove function, repay the debt and withdraw all collateral (1 swtETH) from troverManager to receiver (here is still the MigrateTroveZap contract). At this time, there are 1281.90 + 1 = 1282.90 wstETH in the receiver.
(2) openTrove function, the receiver re-mortgages 1282.80 wstETH (almost all) into troverManager and incurs a debt of 2001.8 mkUSD.
In fact, the 1281.80 wstETH in the collateral here does not belong to the attack contract 0x d 996, but to the above address 0x 56 a 2.
5. Finally, the attacker 0x 7 e 39 separately called the closeTrove function through the attack contract 0x d 996, and extracted the mortgaged 1282.80 wstETH into the attack contract 0x d 996.
After repaying the flash loan, the attacker still made a profit of 1281.80 wstETH, which is about 2.30 M USD.
2. Vulnerability analysis
The root cause of this incident is that the project contract has logic and permission verification, which allows attackers to use this vulnerability to obtain pledged assets from other account addresses.
The wstETH finally obtained by the attacker is the collateral of the original address 0x 56 a 2 in the troverManager contract. Through the flashLoan function of the mkUSD contract, the parameters of the onFlashLoan function in the MigrateTroveZap contract are customized, and MigrateTroveZap is used to convert it into the collateral of the attack contract. Then extract it.
The attacker manipulates the mortgage and withdrawal of other account addresses through the flashLoan function in the mkUSD contract and the onFlashLoan function in the MigrateTroveZap contract.
(1) The flashLoan function lacks verification of the parameter receiver address, because the receiver in the onFlashLoan function will receive all the collateral of the account, so the receiver needs to be verified trustworthy;
(2) The onFlashLoan function lacks verification of the account address, because the closeTrove and openTrove functions are both assets of the operating account, so it is necessary to add permission verification to the account;
In addition to verifying these two address parameters, it may also be necessary to verify the quantity parameters and implementation logic in the flashLoan function.
3. Safety Suggestions
In response to this attack, we should follow the following precautions during the development process:
(1) During the design and development process of the project, the integrity and rigor of the logic must be maintained, especially when it involves the transfer of assets. It is also necessary to strengthen the verification of function research permissions to ensure that the caller, calling function, and function Parameters, transfer logic, etc. are all safe and trustworthy.
(2) Before the project goes online, it is necessary to find a professional third-party audit team to conduct a contract audit.
About Us
SharkTeams vision is to secure the Web3 world. The team consists of experienced security professionals and senior researchers from around the world, who are proficient in the underlying theory of blockchain and smart contracts. It provides services including risk identification and blocking, smart contract audit, KYT/AML, on-chain analysis, etc., and has created an on-chain intelligent risk identification and blocking platform ChainAegis, which can effectively combat the Advanced Persistent Threat (Advanced Persistent Threat) in the Web3 world. , APT). It has established long-term cooperative relationships with key players in various fields of the Web3 ecosystem, such as Polkadot, Moonbeam, polygon, Sui, OKX, imToken, Collab.Land, etc.
Official website: https://www.sharkteam.org
Twitter:https://twitter.com/sharkteamorg
Telegram:https://t.me/sharkteamorg
Discord:https://discord.gg/jGH9xXCjDZ
