First Release | Analysis of Fortress Loans’ $2.98 Million Attack

vsVMsKQQjsDMvbDwlo749MvG71lBxuRaFWOfVqYD.png

At 4:34:42 am Beijing time on May 9, 2022, the CertiK security technical team detected that Fortress Loans was attacked.

At 10:05 a.m. on May 9th, Beijing time, JetFuel Finance also officially confirmed the news about the manipulation of the oracle machine and released links to suspicious addresses and transactions:

2DdIRuMaklEbIpP7wZnb0lj0Wq16TUUSbU1is2xJ.png

Currently the project has lost about 1,048.1 ETH and 400,000 DAI (total value of about $2.98 million ). The attacker steals assets through DAO and oracle manipulation to complete the attack, and transfers the stolen assets out through Tornado Cash.

Vulnerable Transaction https://bscscan.com/tx/0x13d19809b19ac512da6d110764caee75e2157ea62cb70937c8d9471afcb061bf

Related address

Attacker address: https://bscscan.com/address/0xA6AF2872176320015f8ddB2ba013B38Cb35d22Ad

Attacker contract (self-destructed):

https://bscscan.com/address/0xcd337b920678cf35143322ab31ab8977c3463a45

Attacked oracle related contracts: https://bscscan.com/address/0xc11b687cd6061a6516e23769e4657b6efa25d

Attack steps

① The attacker receives ETH from Tornado Cash, and uses part of the ETH received to purchase FTS tokens for voting and staking.

②The attacker then submitted a proposal (proposal number 11) to change the collateralization factor of the FTS token in the loan contract.

③ The attacker voted in favor of his proposal using the purchased FTS tokens. The proposal was passed because the quorum for Fortressloans’ governance contract was 400,000 FTS – less than the amount held by the attackers.

vKN2Mp9KJglBgQ6BMN6z6xtyY7aa00HkdvoCLb2C.png

④ At the same time, the attacker deposits FTS into the loan contract as collateral.

⑤ After the proposal is passed, the attacker executes the proposal to update the FTS mortgage coefficient from 0 to 70000000000000 in order to use it for profit in subsequent steps.

⑥ In addition, the attacker updated the price oracle used by the loan contract through the unrestricted function `submit()` in the oracle-related chain contract. This function lacks valid verification of the signature, so the update will be successfully executed.

CXpaT8wPMOj1knR93eUprlZ3AHaoKCZ2pSHDWyA6.png

⑦ Through the update, the value of the attacker’s collateral (FTS) is greatly increased, so the attacker can borrow a large amount of other tokens from the loan contract.

⑧ The attacker converts the borrowed tokens into ETH and DAI and deposits them in Tornado Cash.

Contract Vulnerability Analysis

Vulnerability①

The first vulnerability is a design flaw in the governance contract.

Governance contracts can execute successful proposals to modify lending-related configurations (ie, add a collateral and its corresponding collateral factor). However, to successfully execute the proposal, the minimum FTS tokens required to vote is 400,000. Due to the low price of FTS tokens, the attackers exchanged over 400,000 FTS tokens for only about 11 ETH.

With these FTS tokens, an attacker can create a malicious proposal at will and execute it successfully.

Vulnerability ②

The second bug is that the “submit” coefficient used by the chain contract to update the price has a flaw – allowing anyone to update the price.

JiovHk2Ajs9vNGvv0uJlfNNBY3jcXgos4mT2fKhn.png

Necessary statements in L142 are commented out. So the contract does not verify that enough signatures have been collected for the call when updating the price.

Where to go

780,000 + 2.28 million USDT were transferred to the attacker’s address after two attack transactions.

2.3 million USDT was sent to Ethereum to anySwap (Multichain).

770,000 USDT were sent to Ethereum through cBridge (Celer Network).

All USDT is exchanged for ETH and DAI via Unswap and sent to Tornado Cash.

timeline

At around 00:30 on May 9th, Beijing time, the token price of Fortress (FTS) plummeted. Soon the project team explained in telegram: The project has some problems and is currently under investigation.

But this attack may have started earlier than we thought .

The first time the attackers started “probing” was at 1:41:59 am Beijing time on April 20th, when they deployed an unverified contract. The attackers continued to interact with Fortress through a series of transactions and deploy unauthenticated contracts in the weeks following the “stepping”, a behavior that didn’t subside until days before the attack.

After the attacker deploys the contract, they initiate a series of transactions – allowing them to create and fund an externally owned address, make a malicious proposal to the Fortress Governor Alpha contract and vote for themselves, and subsequently set the collateral for FTS tokens So high that the value of FTS increases, it is used to borrow a lot of other tokens, and then exchanged for ETH and DAI.

The attack contract has self-destructed after completing the attack, and currently funds are transferred to the Ethereum chain after passing through the cBridge (Celer Network) bridge and the Multichain exchange bridge, and are sent to Tornado Cash in a series of subsequent transactions.

write at the end

This attack should have been effectively avoided through security audits.

For vulnerability ①, since the price of governance tokens and how many tokens are in circulation are unknown, it is not easy to discover this risk, but certain risk discovery can be used to warn of potential related attacks.

For loopholes ②, the audit can find the lack of key verification, preventing anyone from potentially manipulating the price by submitting the function.

The attack caused by the manipulation of the oracle machine is not the only one. DEUS Finance DAO stolen $15.7 million attack incident analysis] The stolen funds are even larger.

The security risks in the field of encryption are endless, and the project team should be as vigilant as possible and always pay attention to security events for self-examination, and improve and audit the contract code in a timely manner.

Posted by:CoinYuppie,Reprinted with attribution to:https://coinyuppie.com/first-release-analysis-of-fortress-loans-2-98-million-attack/
Coinyuppie is an open information publishing platform, all information provided is not related to the views and positions of coinyuppie, and does not constitute any investment and financial advice. Users are expected to carefully screen and prevent risks.

Like (0)
Donate Buy me a coffee Buy me a coffee
Previous 2022-05-09 10:36
Next 2022-05-09 10:38

Related articles