On June 27, 2022, according to SlowMist, the XCarnival project was exposed to a serious vulnerability and was hacked and 3,087 ETH (about $3.8 million) was stolen. XCarnival is an NFT lending project on the ETH chain. The project team is currently fixing the vulnerability and promising to provide solutions for affected users. The SlowMist security team immediately intervened in the analysis and shared the results as follows:
Core contract address
Attacker EOA address
Attack contract address
Vulnerability core point analysis
1. The attacker mortgages NFT and lends xToken through the pledgeAndBorrow function in the XNFT contract.
Transfer to the NFT and generate an order in the pledgeInternal function:
2. Then call the withdrawNFT function to extract the pledged NFT, which first judges whether the order has been liquidated, and if not, judges whether the order’s status is that the NFT has not been withdrawn and the loan amount is 0 (no debt). Collateral NFTs that can be withdrawn.
3. The above is the preparation operation for generating the order before the attack, and then the attacker starts to use the generated order to directly call the borrow function in the xToken contract to borrow money.
In the borrowInternal function, the borrowAllowed function in the controller contract is called externally to determine whether the loan can be borrowed.
It can be seen that the borrowAllowed function will call the orderAllowed function to judge the order related information, but neither of these two functions will judge the status of _order.isWithdraw. Therefore, the attacker can use the previously generated order (the mortgaged NFT in the order has been withdrawn) to call the borrow function of XToken to borrow, and because the mortgaged NFT has been proposed before, the attacker can achieve this without repayment profit.
Attack Transaction Analysis
Only the details of one of the attack transactions are shown here, and the methods of the other attack transactions are the same, and will not be repeated here.
Preparing for the attack – the transaction that generated the order:
1. First, the attacker transfers the NFT to the attack contract and authorizes it, and then calls the pledgeAndBorrow function in the xNFT contract to mortgage the NFT to generate an order and borrow money. It should be noted here that this function can control the incoming xToken, attacking The user passed in the xToken contract address constructed by himself, and set the loan amount to 0, in order to meet the conditions of not being liquidated and 0 debt when the NFT can be successfully proposed later.
2. The attacker then calls the withdrawNFT function to withdraw the mortgaged NFT:
Formal attack transaction:
The attacker calls the borrow function of the xToken contract, passes in the orderID of the previously generated order, and repeats the operation 22 times (orderID: 45 – 66), and because the NFT has been withdrawn in the preparation stage, it is estimated that there is no need to repay this to obtain the money. profit.
The core of this vulnerability is that when borrowing, there is no judgment on whether the NFT in the order has been withdrawn, so that the attacker can use the previously generated order to borrow without repaying the NFT after withdrawing the NFT. profit. In response to such vulnerabilities, the SlowMist security team recommends that when borrowing, you should make a good judgment on whether the collateral has been withdrawn in the order status to avoid such problems from occurring again.
Posted by:CoinYuppie，Reprinted with attribution to:https://coinyuppie.com/slow-mist-xcarnival-nft-lending-protocol-vulnerability-analysis/
Coinyuppie is an open information publishing platform, all information provided is not related to the views and positions of coinyuppie, and does not constitute any investment and financial advice. Users are expected to carefully screen and prevent risks.