Attack Details
Last updated
Last updated
By exploiting the DEI token implementation bug, the attacker could manipulate allowances, transfer DEI out of the pair, and swap it for a significant amount of USDC.
The series of events led to the massive security breach and loss of user funds on the Chronos Exchange on the Arbitrum platform, as well as on all other exchanges on which the DEI token was listed.
An in-depth examination of the attack can be found by analyzing the following Arbitrum transaction:
First, the attacker takes advantage of the bug in the DEI token implementation, which allows them to increase the allowance for any DEI holder. Consequently, the attacker can move any $DEI funds.
The burnFrom implementation involves the approve implementation, where _approve(sAMM, attacker, currentAllowance) is called. That allowed the attacker to spend any 'currentAllowance' from the sAMM Pair.
Link to the source code:
_allowances[_msgSender()][account]
should be
_allowances[account][msgSender()]
burnFrom to increase his allowance & transferFrom all DEI out of the pair.which recalculates the reserves based on the token balances.
After calling sync,
DEI reserve0 is 1,
USDC reserve1 is 5,047,470,472,573.
The attacker calls swap() and trades the difference. Now, 0 DEI is worth 5 million USDC.
Call swap() and trade the difference; 0 DEI is worth 5M USDC now.
This step allowed for massive further damages.
This step allows for massive, massive further damages.
Based on this step, we conjecture that the attacker opted for a rushed approach, likely fearing that someone else might discover the bug or that his main target was causing maximum damage.
Attackers' accrued profits of approximately $5 million, yet the consequential damages far exceed this figure, estimated to be between $8-10 million based on our current analysis. (before recovering funds, check recovery )
Read more about it
Transaction leading to the hack:
Address holding funds after the attacker swapped USDC to WETH:
