On March 27, 2022, the public opinion monitoring of Chengdu Lian’an Chain Bing -Blockchain Security Situational Awareness Platform showed that the DeFi protocol Revest Finance was hacked and lost about $120,000.
It is reported that Revest Finance is a solution for staking in the DeFi field. Users participating in any DeFi staking through Revest Finance can directly create and generate an NFT (the NFT contains the current and future value of the staking position).
After the attack, the project team officially tweeted that their Ethereum contract was attacked, and measures have been taken to ensure the safety of the remaining funds in all chains.
The Chengdu Lianan technical team made a brief analysis of this incident.
1 The analysis is as follows
First, the attacker calls the mintAddressLock function in the attacked target contract twice through uniswapV2call.
The mintAddressLock function is used to query and mint the NFT to the target, and the nextid (FNFTHandler.fnftsCreated) is updated after the NFT is minted.
The attacker first calls the mintAddressLock function to mint 2 tokens with ID 1027 to prepare for subsequent attacks, and then calls mintAddressLock again to mint 3600 tokens with ID 1028. Before the mint function is completed, the attacker re-enters the depositAdditionalToFNFT function [ ERC1155 onERC1155Received re-entrance], because NFT nextId (FNFTHandler.fnftsCreated) is updated after mint function mint NFT is completed and notified, the nextId at this time is still 1028, and the contract does not verify whether the number of Tokens of 1028 is 0, so the attacker Once again, 1 token with ID 1031 was successfully minted, and the attack was completed.
2 Summary Recommendations
The minting-related functions in this attack are not designed strictly in accordance with the check-validation-interaction model, and the possibility of ERC1155 token transfer reentrancy is not considered.
It is recommended to strictly follow the check-validation-interaction model when designing contracts, and add anti-reentrancy functions to ERC1155 token-related DeFi projects.
So far, the attacker has not transferred the assets, and Chengdu Lianan will continue to monitor.
Posted by:CoinYuppie，Reprinted with attribution to:https://coinyuppie.com/erc1155s-reentrancy-attack-appears-again-a-brief-analysis-of-revest-finance-being-attacked/
Coinyuppie is an open information publishing platform, all information provided is not related to the views and positions of coinyuppie, and does not constitute any investment and financial advice. Users are expected to carefully screen and prevent risks.