12/28 Post-Mortem

Summary

On Dec-28–2020 at 08:08:12 AM +UTC an exploit was abused on Cover Protocol’s shield mining contract (Blacksmith). The core Cover Protocol product is not affected and is functioning as intended. This exploit only affected the mining contract and the $COVER token.

What was the root cause?

The Bug

As many have explained, this line of code caused the updating of the pool state to be ineffective on the miner’s state when depositing. This misalignment will cause the Blacksmith to mint more rewards to the miner. This bug has been present (unknown to devs) in the Cover Protocol Blacksmith contract since the day it was deployed after being audited.

A community member informed us on Dec 27th at 6pm UTC that they were able to gain a little rewards boost on their deposit. After investigating the issue, we attempted to mitigate the problem by implementing the following:

• Adding an update pool transaction before the deposit so that the pool was updated when user deposits, this will mitigate the issue for users using UI.
• Starting a cron job to run every 20 mins to update any pool that hadn’t been updated recently.

The more frequent the pools are updated, the less extra rewards the miners will get. To our knowledge and analysis at the time, the above two should mitigate the problem to a point that is not worth exploiting. To our deepest regrets, we missed the amplifier(below).

The Amplifier

The missed amplifier was the difference between the amount the miner deposits and the total lpTokens existing in the pool pre-deposit. The greater the difference(1wei v.s. 1e18 wei for example), the bigger the above bug caused extra rewards. If the difference is big enough, the time passed does not matter, miners can still gain ~infinity amount of COVER tokens.

In the event of Grap Finance’s interactions with the contract, 1 wei was left in the pool. It multiplied the rewards by 1e18+, causing the mint of 40 quadrillion $COVER.

This happened on all pools that had less than 1e18 lpToken total deposited, mostly are new and the exploiter was the first to act.

Timeline for Exploiter 1

Dec-28–2020 04:09:27 AM +UTC

• A new Balancer pool was added to the Blacksmith contract from the team’s multisig via a transaction for the new coverage expirations.

Dec-28–2020 08:08:12 AM +UTC

• An attacker executes the first deposit to the contract, depositing 1,326,880 BPT tokens
• https://etherscan.io/tx/0xd721b0ef2886f14b75548b70d2d1fd82bea085ca24f5de29b833a64cfd8f7a50

Dec-28–2020 at 08:11:16 AM +UTC

• The same attacker then called withdraw(), exploiting the contract for ~703.64 $COVER and withdrawing 1,326,878.99 BPT
• https://etherscan.io/tx/0xadf27f5dd052482d46fdf69a5208a27cc7352522c7c19bbde5aee18f6ea4373b

Dec-28–2020 08:47:15 AM +UTC

• The first sell of the exploited $COVER tokens can be found here: https://etherscan.io/tx/0x66128a1685605b1798c852e14db0b0232a56e3bebf7f3f35b168642801754beb. During this time there were multiple accounts abusing the exploit, and selling their $COVER on market.

Dec-28–2020 09:18:28 AM +UTC

• The attacker continues minting and while the attack vector is still present. https://etherscan.io/tx/0xf81fb72ee096e0d7afe4b99a55b723110604fb26ec82846043cfc396e1fa79da

In total, Exploiter 1 stole around $4.4 million of user funds and transferred it to this address. We are actively tracking this address and others which participated in the exploit.

Timeline for Grap Finance

Dec-28–2020 11:54:47 AM +UTC

• Grap Finance: Deployer (Externally owned account) deposited 15,255.552810089260015362 BPT (DAI/Basis pool) into the Blacksmith farming contract.
• https://etherscan.io/tx/0x77490baee41a9b35a6e87d49453c7329c7517c10ce6ce26b4c142692a2877e65

Dec-28–2020 11:58:04 AM +UTC

• Grap Finance: Deployer withdraws their 15,255.552810089260015361 BPT (DAI/Basis pool), leaving just 1 wei in their balance in the Blacksmith farming contract.
• https://etherscan.io/tx/0x88ce99fc1cb695db82d83ce5fe587396744841d3a123687f95b18df6a3106818

Dec-28–2020 11:58:56 AM +UTC

• Another user withdraws most of his full balance (1,007.599009946121991627 BPT) from the Blacksmith. Now Grap Finance alone has all liquidity for the DAI/Basis pool on the shield mining Blacksmith contract, exactly 1 wei.
• https://etherscan.io/tx/0xa27fb73caddb1cf24aa7a5afe84eed13db2f0a889a6ee0f3d5e6226a76c0fd9c

Dec-28–2020 12:00:21 PM +UTC

• Grap Finance: Deployer deposited back 15,255.552810089260015361 BPT (DAI/Basis pool) on the Blacksmith farming contract..
• https://etherscan.io/tx/0xbd1fcda7006ddd58b18cb3bfbd01ef2d1a979be596e1c73be1d7d65fd7eb8215

Dec-28–2020 12:02:04 PM +UTC

• Grap Finance: Deployer claimed the rewards, and because of only 1 wei of balance combined with the storage/memory issue this led to the minting of 40,796,131,214,802,500,000.212114436030863813 $COVER.
• https://etherscan.io/tx/0xca135d1c4268d6354a019b66946d4fbe4de6f7ddf0ff56389a5cc2ba695b035f

Dec-28–2020 12:29:03 PM +UTC

• Grap Finance: Deployer starts to sell as many tokens as possible through 1inch.exchange in multiple transactions.
• https://etherscan.io/tx/0xaf94d9b537a13819e873b37160594af2b1cc70b420d0b160a02e341566866a6b
• https://etherscan.io/tx/0x01b3517845ed9c6b7b40d57bd71ac1a89fec080c5b8988f764d8226ac5caa959

Dec-28–2020 12:59:27 PM +UTC

• Grap Finance: Deployer burns minted tokens: https://etherscan.io/tx/0xe6c068ca3605228b2435a414f2b372057340f77d3fe9f1d3967eb1ad128cb5d2

Dec-28–2020 at 01:41:01 PM +UTC

• Grap Finance: Deployer sends the 4351 (1 + 4350) ETH they have extracted by selling $COVER to the deployer account, which accounts for 34% of the total exploit damage ($9.4 million)
• https://etherscan.io/tx/0x23cb9bdf14eed955a84da3f3cfcf296356c0f897dec0b99e85151a7f084a3051
• https://etherscan.io/tx/0xc2fd5094c1e108f83222a86bd46b35fc0da35616385d681964b22003643f982e

Timeline of Cover Protocol team

Dec-28–2020 at 08:11:16 AM +UTC

• The first major mint of ~703.64 $COVER was made by exploiter 1.
• https://etherscan.io/tx/0xadf27f5dd052482d46fdf69a5208a27cc7352522c7c19bbde5aee18f6ea4373b

Dec-28–2020 at 10:54:00 AM +UTC

• A non-dev team member was notified of the ongoing incident, and rushed to notify the core team. Unfortunately all of the devs were asleep at this time.

Dec-28–2020 12:02:04 PM +UTC

• Grap Finance: Deployer minted 40,796,131,214,802,500,000.212114436030863813 $COVER.
• https://etherscan.io/tx/0xca135d1c4268d6354a019b66946d4fbe4de6f7ddf0ff56389a5cc2ba695b035f

Dec-28–2020 at 12:04:00 PM +UTC

• 2 core team members wake up and are instantly notified of the incident. They immediately begin working on mitigating the exploit.

Dec-28–2020 at 12:22:19 PM +UTC

• The core team successfully removed minting rights from the Blacksmith contract and moved the minting permissions to a dummy contract to prevent further exploitation of the mint.

Dec-28–2020 at 1:30:00 PM +UTC

• The core team begins speaking directly with our Yearn partners to study the exploit and understand exactly how it had occurred. Emiliano Bonassi successfully replicated it in a test.

Dec-28–2020 at 11:51:00 PM +UTC

• After thorough observation and discussion with the Cover Protocol team and our Yearn partners, Emiliano Bonassi successfully replicated it in a test.

Moving Forward

We hope this post-mortem allows users to get a better grasp and understanding of the exploit that took place today.

We are still on target to release V2 (Q1 of 2021) for Cover Protocol. We are sincerely sorry about the outcome of the attack and we thank everyone so much for your continued support.

A compensation plan, using a snapshot (taken some point before block #11541219) to distribute a new token and the returned 4,351 ETH, will be drafted up in the next couple days and will be released as soon as possible. Please stay tuned.

Acknowledgements

We would like to thank the whole Yearn Ecosystem and also everyone who reached out to offer their support. The amount of information gathered in the time from the attack to this post would have not been achievable without the below individuals.

Contributors in gathering information/data (in no specific order & sorry if we are missing anyone):

Leo Cheng; Sam122; x48; banteg; milkyklim; Emiliano Bonassi; Julien Bouteloup (and the REKT team); Facu; dougETH; andy8052; dudesahn; Vasa; The Peckshield Team; The Arcadia Group Team; Binance

Disclaimer

COVER is a completely valueless governance token and has 0 financial value. Please exercise proper due diligence before interacting with Cover smart contracts, staking contracts, and all subsequent deployed contracts associated with Cover.