Pickle Finance Hack Analysis & POC (Nov 21st, 2021)

Table Of Content

Share:

Introduction

On 21sth November 2021, Pickle finance was hacked, where an attacker was able to drain $19M DAI from the pDai jar. The attack exploited multiple inconsistencies & flaws in the logic of the pickle jar smart contract.

Pre-requisite:

  1. Pickle Jar contract had a function swapExactJarForJar() which was meant to be generalized to bring more flexibility to the protocol. However, the attack could have been prevented if the function checked for whitelisted ones. 
  2. The attacker’s jars contain minimalist functions to function as a jar and since the user controls Jars most of the checks can be easily bypassed.

The Exploit

The user-created two Jar contracts

  1. Attacker’s Address
  2. Attack transaction
  3. Attacker’s Contract
  4. Detailed transaction trace

Steps involved in exploit:

  1. The attacker deploys two new fake Jars.
    1. First Jar
    2. Second Jar
  2. The attacker calls strategyCmpdDaiV2.getSuppliedUnleveraged() which returns the amount of DAI available i.e 19728769153362174946836922 ~ 19M.728 DAI.
  3. The attacker calls swapExactJarForJar the first time, supplying fake Jar addresses created earlier which withdraws deleveraged invested DAI from the compound back to pDAI Jar. 
  4. attacker calls earn() function 3 three times on pDAI (Pickling Dai) minting cDAI to StrategyCmpdDaiV2 contract.
  5. The attacker deploys another two fake Jars & a fake underlying.
    1. Third Jar
    2. Fourth Jar
    3. Fake Underlying contract
  6. Then the attacker calls swapExactJarForJar, this time passes in the third & fourth Jar with crafted data that makes a function call to curve proxy in the context of the controller-v4. Since the attacker has crafted the Jar to work with the contract it bypasses checks to the point where arbitrary code is executed in the context of the controller-v4 contract. Then withdraw() is called to withdraw 950,818,864 cDAI to controller-v4. The withdrawn cDAI are deposited to the fake Jar through deposit() and all cDAI is transferred to the attacker.
  7. The attacker calls redeemUnderlying on the compound to convert all cDAI to DAI & walks away with ~19M DAI.

Try It Yourself!

We have put together a GitHub repository to reproduce the attack. Here is the Github repo.

Also take a look at Rari Capital Hack Analysis & POC

More Audits

Consumer Privacy & Data Breach Part II - Is Web 3.0 The Cure?

The last few years have resulted in consumer privacy and data breach issues. Those issues have made the users conscious and ambiguous about the data on the internet. Read more in this blog.

Rain Protocol Audit Report

Rain Protocol lets you build web3 economies at any scale.Rain scripts are a combination of low level functions (opcodes) like addition and subtraction and very high level functions like fetching an ERC20 balance at a given snapshot ID (Open Zeppelin), or fetching a chainlink oracle price.

Smart Contract Security Audit: An Auditor's Interrogation

A comprehensive introduction to smart contract security audit and preparation of relevant interview questions.

Smart Contract Audit Report: Chrysus

Project Chrysus aims to be a fully decentralized ecosystem revolving around Chrysus Coin. Chrysus Coin (Chrysus) is an ERC20 token deployed on the Ethereum network, which is pegged to the price of gold (XAU/USD) using Decentralized Finance (DeFi) best practices. The ecosystem around Chrysus will involve a SWAP solution, a lending solution, and an eCommerce integration solution allowing for the use of Chrysus outside of the DeFi ecosystem.

Sonar Bridge Initial Audit

BlockApex (Auditor) was contracted by Sonar(Client) for the purpose of conducting a Smart Contract Audit/Code Review of Sonar bridge modeule.  This document presents the findings of our analysis which took place on 8th September 2021. 

PhoenixDAO LP Staking Final Audit

BlockApex (Auditor) was contracted by PhoenixDAO (Client) for the purpose of conducting a Smart Contract Audit/Code Review.  This document presents the findings of our analysis which took place on   28th October 2021.

Lightlink Bridge: BlockApex WhiteBox Code Review Report

the source code review of Lightlink Bridge Validator and Keeper. The purpose of the assessment was to perform the whitebox testing of the Bridge’s validator and Keeper before going into production and identify potential threats and vulnerabilities.

The State of Startups Security in Pakistan

The security team at BlockApex decided to test these applications for vulnerabilities that could compromise their data. We knew that the software industry in Pakistan always keeps security out of their toolkit to reduce the cost of development.

Rari Capital Hack Analysis & POC

Rari capital got hacked for around $79M through a classic re-entrancy attack. Rari is a fork of compound finance which had this bug fixed earlier. It is not the first time Rari has been a victim of a hack.

1 2 3 11
Designed & Developed by: 
All rights reserved. Copyright 2023