Decoding Palmswap’s $900k Exploit

by

[ad_1]

Learn Time: 4 minutes

Abstract:

On the twenty fifth of July 2023, the Palmswap on the Binance Good Chain was attacked. The assault was made attainable by a Value Manipulation vulnerability. And round $900k was stolen by the exploiter from the exploit.

About Venture:

Palmswap is a decentralized leverage buying and selling platform. To study extra about them, take a look at their documentation.

Vulnerability Evaluation & Affect:

On-Chain Particulars:

Attacker Tackle:  0xF84efA8a9F7E68855CF17EAaC9c2f97A9d131366

Sufferer Contract:  0x55252A6D50BFAd0E5F1009541284c783686F7f25

Assault Transaction: 0x62dba55054fa628845fecded658ff5b1ec1c5823f1a5e0118601aa455a30eac9

The Root Trigger: 

  • The foundation reason for the exploit was the mishandling of calculations when including or eradicating liquidity from the pool. It was current within the trade price between USDP(Palm Usd) and PLP(Palm Lp).
  • The method of calculation of PLP value after we take away liquidity is dealt with by getAum() perform.
  • Now check out buyUSDP(). As you possibly can see, the highlighted features are referred to as to extend the value of PLP when shopping for USDP.
  • Improve within the worth of PoolAmount whereas shopping for USDP impacts getAum() perform since it’s depending on PoolAmount for calculation.
  • This allowed the hacker to take away liquidity on a better trade price used when including liquidity
  • Shopping for Change Fee – 1:1 
  • Promoting Change Fee – 1:1.9

Assault Course of:

  • First, the attacker took a FlashLoan of three Million. 
  • Buy PLP token price 1 Million by calling purchasePlp() perform.
  • This purchasePlp() perform will name 2 features. 
  • _mintAndStakePlp() 
    • This perform will add liquidity within the pool 
    • purchase USDP 
    • and mint plp in 1:1 ratio.
  • vester.deposit
    • This perform will deposit the staking quantity.
  • Now the attacker used the remaining 2 Million to purchase USDP by calling buyUSDP() perform. This may inflate the trade price. 
  • Now the attacker unstaked the beforehand staked quantity by calling unstakeAndRedeemPlp() perform. This may ship USDP to the attacker’s tackle at an inflated value.
  • Now the attacker referred to as sellUSDP()  perform to promote all of the staked quantity. This consists of
    • 2 Million USDP
    • USDP that the attacker obtained after inflating the value from the earlier step
  • Lastly, the attacker repaid the FlashLoan of three million and will get the remaining $900k revenue.

Move of Funds: 

Right here is the fund stream throughout and after the exploit. You may see extra particulars right here.

Attacker’s Wallets: 

At present, all of the funds reside on this tackle – 0x0fe7457f5909778b15d8e46768678abbf0c98329

Here’s a snippet of the pockets tackle

After the Exploit

  • The Venture acknowledged the hack by way of their Twitter.

Incident Timelines

Jul-24-2023 (05:23:38 PM +UTC) – A suspicious transaction was noticed on PalmSwap’s Contracts.

Jul-24-2023 (06:33:31 PM +UTC) – Exploiter was efficiently capable of steal $900k BUsd.

Jul-24-2023 (06:33:31 PM +UTC) – The exploiter transferred the funds to this tackle.

How might they’ve prevented the Exploit?

  • When coping with enterprise logic the place processes like staking and unstaking are occurring, it’s essential to jot down complete Take a look at Instances.
  • It is strongly recommended to verify to test that every one the invariants maintain true or not earlier than deployment. Implement fuzzing wherever needed.

The Crucial Want for Web3 Safety

As a Web3 safety agency QuillAudits, we embrace the essence of decentralization by providing transparency, and we would like that spirit to shine by means of in our companies too.

39 Views



[ad_2]

Leave a comment