The dike of a thousand miles was destroyed in the ant nest Fortress Protocol was attacked

foreword

On May 9, 2022, Beijing time, Knowing Chuangyu Blockchain Security Laboratory detected that Fortress Protocol, a lending protocol on the BSC chain, was attacked due to an oracle problem. This is the third oracle attack incident detected by the laboratory recently. The loss includes 1,048 ETH and 400,000 DAI, totaling about 300W. At present, AnySwap and Celer have been used to cross-chain to Ethereum using Tornado for currency mixing.

Knowing that Chuangyu Blockchain Security Lab tracked and analyzed this incident for the first time.

v2-72dac407503b7c3adbfe4235ccb4697e_720w.jpg

basic information

Attacked Controller: 0x01bfa5c99326464b8a1e1d411bb4783bb91ea629

Attacked oracle address: 0xc11b687cd6061a6516e23769e4657b6efa25d78e

Attacker address: 0xA6AF2872176320015f8ddB2ba013B38Cb35d22Ad

Attack contract: 0xcD337b920678cF35143322Ab31ab8977C3463a45

tx:0x13d19809b19ac512da6d110764caee75e2157ea62cb70937c8d9471afcb061bf

Vulnerability Analysis

The project is still a copy of Compound, but because the project party has annotated the original check in the oracle implementation, it does not require enough power to tamper with the price through 0xc11b687cd6061a6516e23769e4657b6efa25d78e#submit;

v2-78f7a4335309c6eb2f9b91f20ee5b4e6_720w.jpg

The attacker borrowed assets from other pools by changing the price of FTS in the protocol. The lending pools in the market are as follows:

v2-8a668ce7b0c8668e236e07e797c39b0d_720w.jpg

Attack process

1. The attacker purchased FTS tokens and voted to add FTS as collateral through a proposal, the proposal ID is 11;

v2-6d4dc68a27d9d8610aad7ff21bac5eac_720w.jpg

2. Change the price of FTS by calling the oracle submit function;

v2-90267986f903213d3ce907f938d9951d_720w.jpg

3. The attacker uses 100 FTS as collateral to call enterMarket to enter the market;

v2-0efa91f9593c52fe089efb0d5c343f6a_720w.jpg

4. Because the market price has a problem with the value calculation of FTS, the attacker uses the collateral to directly call borrow to borrow;

v2-be9a37b31e8a92b087725d9eb8fa968b_720w.jpg

Assets borrowed:

v2-ee5bb5d8c7d8983ae4e0f8b02d05a0c1_720w.jpg

5. Since the 100 FTS has little value and does not need to be retrieved, the attacker still uses the other FTS used in the first step to fully cash out the Pancake exchange.

v2-dddddd61bd1cdb2bcd057d7d9e61c7f3e_720w.jpg

Summarize

The reason for this attack is that there is a problem with the compound imitation disk when the oracle is used. Recently, a large number of Compound imitation disk projects have been attacked. We urge all project parties who have forked Compound to actively check themselves. The known attacks are mainly due to the following problems:

v2-4c773238563295cab03ff0ff38887920_720w.jpg

The embankment of a thousand miles was destroyed in the ant’s nest. It can be seen from the internal call that the attacker used getAllMarkets to traverse the underlying assets of all markets in turn and cash out FTS completely. It is recommended that the project party must build on a full understanding and sufficient third-party security audits for their own different implementations. A small error can lead to the overall loss of the project.

Posted by:CoinYuppie,Reprinted with attribution to:https://coinyuppie.com/the-dike-of-a-thousand-miles-was-destroyed-in-the-ant-nest-fortress-protocol-was-attacked/
Coinyuppie is an open information publishing platform, all information provided is not related to the views and positions of coinyuppie, and does not constitute any investment and financial advice. Users are expected to carefully screen and prevent risks.

Like (0)
Donate Buy me a coffee Buy me a coffee
Previous 2022-05-12 09:35
Next 2022-05-12 09:36

Related articles