Title: Improper Access Control in DEPUSDT_LEVUSDC Protocol
Date: 15/06/2023
Link: https://twitter.com/1nf0s3cpt/status/1669624223059546112?s=46
An attack has occurred on the $DEPUSDT token on the Ethereum blockchain, leading to a significant loss of approximately $69,000. Additionally, the attacker also targeted the $LEVUSDC token, resulting in a loss of approximately $36,000.
The attack was made possible due to the existence of authorisation functionality within the smart contract. Exploiting this vulnerability, the attacker gained unauthorised access to the contract funds and successfully took control of them.
Attacker’s Address: https://etherscan.io/address/0x7021c1b142eb634fa0749cda270c7aff74dc3b7f
Contract Under Attack: https://etherscan.io/address/0x7b190a928aa76eece5cb3e0f6b3bdb24fcdd9b4f
Transaction Details: https://etherscan.io/tx/0xf0a13b445674094c455de9e947a25bade75cac9f5176695fca418898ea25742f
The impact
ESTIMATED CVSS BASE SCORE: 8
The impact of the attack on the $DEPUSDT token and the $LEVUSDC token is significant. The financial loss incurred amounts to approximately $69,000 for $DEPUSDT and $36,000 for $LEVUSDC. This loss directly affects the token holders and investors who held these tokens at the time of the attack.
Furthermore, the attack raises concerns about the security and integrity of the smart contract and the Ethereum blockchain. It highlights the potential risks associated with vulnerabilities in authorisation functionality, which can lead to unauthorised access and control over contract funds.
Affected protocols:
$DEPUSDT token and the $LEVUSDC token
The remediation
In response to the improper access control incident in the DEPUSDT_LEVUSDC protocol, conducting a thorough smart contract audit is crucial before deploying the contracts to the main net. This audit should include a comprehensive review of the codebase, security assessments, and testing to identify and address potential vulnerabilities. Here are some key areas to focus on during the audit:
- Access Control: Ensure that proper access controls are implemented, distinguishing between owners and other users. Improper access control can allow unauthorised users to gain control of smart contracts.
- EVM Bytecode Vulnerabilities: Review the EVM bytecode for vulnerabilities such as Ether lost in the transfer, immutable bugs, stack size limit, and potential reentrancy attacks.
- Arithmetic Overflow and Underflow: Check for vulnerabilities caused by improper handling of integer values, which can lead to unexpected results and potential exploits.
- Unchecked Return Values: Verify that return values of low-level functions are properly checked to prevent unnoticed failures, particularly in functions like “send” and “transfer.”
- Denial of Service: Identify potential vulnerabilities that could render the smart contract non-functional, such as poor access control and the risk of infinite loops or recursion.
- Randomness Generation: Ensure that any random number generation in the smart contract relies on a reliable external oracle, as other methods can be manipulated by malicious actors.
- Race Conditions: Mitigate race conditions by carefully considering transaction order dependencies and addressing vulnerabilities related to block timestamps.
- Short Addresses: Guard against short address attacks by validating input lengths and preventing unintended interpretation of data.
In addition to these specific vulnerabilities, consider reviewing and addressing other common smart contract vulnerabilities, such as unencrypted private data on-chain, unexpected Ether balances, front-running attacks, improper signature verification and so on.
Conducting a comprehensive smart contract audit is essential for minimising the risk of unauthorised access, protecting user funds, and maintaining the integrity of the protocol. By addressing vulnerabilities proactively, you can enhance the security and trustworthiness of your smart contract.
References
https://twitter.com/1nf0s3cpt/status/1669624223059546112?s=46
Proof Of Concept: https://t.co/LCFj4VRbhG
Txid analysis: https://t.co/KK2B4IHLp3