ERC1155’s reentrancy attack “appears” again: a brief analysis of Revest Finance being attacked

On March 27, 2022, the public opinion monitoring of Chengdu Lian’an Chain Bing -Blockchain Security Situational Awareness Platform showed that the DeFi protocol Revest Finance was hacked and lost about $120,000.

It is reported that Revest Finance is a solution for staking in the DeFi field. Users participating in any DeFi staking through Revest Finance can directly create and generate an NFT (the NFT contains the current and future value of the staking position).

After the attack, the project team officially tweeted that their Ethereum contract was attacked, and measures have been taken to ensure the safety of the remaining funds in all chains.

ERC1155's reentrancy attack "appears" again: a brief analysis of Revest Finance being attacked

The Chengdu Lianan technical team made a brief analysis of this incident.

ERC1155's reentrancy attack "appears" again: a brief analysis of Revest Finance being attacked

1 The analysis is as follows

address list

Token contract:

0x56de8BC61346321D4F2211e3aC3c0A7F00dB9b76

Attacked contract:

0x2320a28f52334d62622cc2eafa15de55f9987ed9

Attack contract:

0xb480Ac726528D1c195cD3bb32F19C92E8d928519

attacker:

0xef967ECE5322c0D7d26Dab41778ACb55CE5Bd58B

ERC1155's reentrancy attack "appears" again: a brief analysis of Revest Finance being attacked

Transaction screenshot

First, the attacker calls the mintAddressLock function in the attacked target contract twice through uniswapV2call.

ERC1155's reentrancy attack "appears" again: a brief analysis of Revest Finance being attacked

The mintAddressLock function is used to query and mint the NFT to the target, and the nextid (FNFTHandler.fnftsCreated) is updated after the NFT is minted.

ERC1155's reentrancy attack "appears" again: a brief analysis of Revest Finance being attacked

ERC1155's reentrancy attack "appears" again: a brief analysis of Revest Finance being attacked

ERC1155's reentrancy attack "appears" again: a brief analysis of Revest Finance being attacked

The attacker first calls the mintAddressLock function to mint 2 tokens with ID 1027 to prepare for subsequent attacks, and then calls mintAddressLock again to mint 3600 tokens with ID 1028. Before the mint function is completed, the attacker re-enters the depositAdditionalToFNFT function [ ERC1155 onERC1155Received re-entrance], because NFT nextId (FNFTHandler.fnftsCreated) is updated after mint function mint NFT is completed and notified, the nextId at this time is still 1028, and the contract does not verify whether the number of Tokens of 1028 is 0, so the attacker Once again, 1 token with ID 1031 was successfully minted, and the attack was completed.

ERC1155's reentrancy attack "appears" again: a brief analysis of Revest Finance being attacked

ERC1155's reentrancy attack "appears" again: a brief analysis of Revest Finance being attacked

2 Summary Recommendations

The minting-related functions in this attack are not designed strictly in accordance with the check-validation-interaction model, and the possibility of ERC1155 token transfer reentrancy is not considered.

It is recommended to strictly follow the check-validation-interaction model when designing contracts, and add anti-reentrancy functions to ERC1155 token-related DeFi projects.

So far, the attacker has not transferred the assets, and Chengdu Lianan will continue to monitor.

Attacker address:

https://etherscan.io/address/0xef967ece5322c0d7d26dab41778acb55ce5bd58

Posted by:CoinYuppie,Reprinted with attribution to:https://coinyuppie.com/erc1155s-reentrancy-attack-appears-again-a-brief-analysis-of-revest-finance-being-attacked/
Coinyuppie is an open information publishing platform, all information provided is not related to the views and positions of coinyuppie, and does not constitute any investment and financial advice. Users are expected to carefully screen and prevent risks.

Like (1)
Donate Buy me a coffee Buy me a coffee
Previous 2022-03-27 11:07
Next 2022-03-27 11:08

Related articles