Introduction
In a recent March 28, 2024 incident, Prisma Finance encountered a critical vulnerability in its MigrateTroveZap contract, resulting in a loss of 3,257 ETH, equivalent to approximately $11 million. This article delves into the technical intricacies of the exploit, its impact, and the subsequent actions taken by the Prisma team to address the issue.
Overview of the Vulnerability
The vulnerability stemmed from inadequate input validation in both versions of the MigrateTroveZap contract (mkUSD and ULTRA). This contract, designed to facilitate the migration of user positions between trove managers, inadvertently allowed malicious actors to manipulate its behavior.
Affected users had previously approved the MigrateTroveZap contract to manage their troves’ positions via setDelegateApproval() on the BorrowerOperations contract. The exploit occurred when a user leveraged the vulnerability in the onFlashloan() function, enabling them to manipulate the contract’s behavior and siphon a portion of users’ collateral.
- The user initiates migration via the migrateTrove() function, triggering a calculation of debt and collateral to be transferred.
- The debtToken.flashloan() function is called with the calculated debt and collateral amounts.
- The debtToken.flashloan() function subsequently calls back to MigrateTroveZap.onFlashLoan() to finalize the migration.
The crux of the issue lies in step 3. The data passed from flashLoan() lacked validation, trusting any information received from the debt token contract’s flashloan() function. While this wouldn’t pose a problem under typical circumstances, the flashloan() function can be called by any user willing to pay a fee. This creates a scenario where the data used for migration becomes untrustworthy.
The attacker exploited this by calling flashloan() and setting the receiver address to the MigrateTroveZap contract. They then manipulated the data to execute a fabricated migration, enabling them to steal user collateral during subsequent transactions.
Exploit Sequence
The exploit unfolded in several steps:
Direct Flash Loan Invocation:
- Taking advantage of the lack of proper validation, the attacker directly invoked the onFlashloan() function with meticulously crafted input data.
Manipulation of Trove Positions
- By bypassing the migrate function, the attacker could close a trove owner’s trove and immediately reopen it within the same TroveManager. This resulted in the trove owner having a new position with the same debt but reduced collateral, with the difference captured by the attacker.
Creation of New Trove
- Subsequently, the attacker opened a new trove with minimal collateral, leveraging the remaining assets in the contract.
Profit Extraction
- Finally, the attacker closed the manipulated trove, extracting profits from the compromised positions.
Source: Prisma Finance
Dissecting the Attack
The attack unfolded in the following manner, as evidenced by a specific transaction:
- The attacker called mkUSD.flashLoan() with a value of approximately 1.44 trillion mkUSD and designated the MigrateTroveZap contract as the recipient.
- Simultaneously, the attacker manipulated the collateral data for the borrower address associated with the flash loan.
- Due to the flash loan initiated in step 1, the MigrateTroveZap.onFlashLoan() function was triggered with attacker-crafted data instructing it to:
- Close a specific trove.
- Migrate the trove to a new Trove Manager.
- Set parameters for the migrated trove, including a significantly lower collateral amount than the original value.
Source: Prisma Finance
The attacker then leveraged the difference between the original and manipulated collateral values to:
- Open a new trove using the remaining collateral left in the MigrateTroveZap contract.
- Flashloan 1 wstETH to facilitate the opening of the new trove.
- Execute another manipulated migration via MigrateTroveZap.onFlashLoan(), incorporating the remaining wstETH from the contract.
- Close the newly created trove, allowing them to claim the stolen wstETH.
- Repay the initial one wstETH flash loan.
Source: Prisma Finance
Source: Prisma Finance
Consequences and Response
The exploit prompted an immediate response from the Prisma team. They paused the protocol’s operations, preventing further collateral addition and minimizing potential damage. Additionally, trove owners were advised to revoke delegate approval for the MigrateTroveZap contract.
Tracing the Stolen Funds
The most significant attack, responsible for roughly $11.6 million in stolen funds, originated from a user-controlled wallet. These funds were initially channeled through FixedFloat, an instant, fully automatic cryptocurrency exchange with Lightning Network, before being distributed to three other wallets.
Interestingly, one of these wallets sent an on-chain message to the Prisma Finance deployer, claiming to be a “white hat” hacker acting in good faith. While a portion of the stolen funds (approximately $6.5 million worth of ETH) was transferred to a privacy mixing service, Tornado Cash, the message indicated an intention to move the remaining funds to a “safer place.”
Two additional malicious addresses were identified in conjunction with the exploit. These addresses withdrew funds from Tornado Cash and replicated the exploit to steal over $700,000 in further assets.
A Potential Turnaround?
There appears to be a glimmer of hope for Prisma Finance users. The primary attacker responsible for most stolen funds is willing to return them.
About Olympix
Olympix is a pioneering DevSecOps tool that puts security in the hands of the developer by proactively securing code from day one.
Join our beta program to fortify your smart contracts and proactively shield them from exploits in the evolving Web3 security landscape.
Connect with us on:
Twitter | LinkedIn | Discord | Medium | Instagram | Telegram | Substack