How to exploit the same vulnerability of MetaPool in two different ways (Nerve Bridge / Saddle Finance) — What you see is not what you get

0x1. About the Deployed Contracts

The relevant contract addresses are listed in the following:

  • The victim MetaSwap contract: 0x824dcd7b044d60df2e89b1bb888e66d8bcf41491
  • The vulnerable MetaSwapUtils contract: 0x88Cc4aA0dd6Cf126b00C012dDa9f6F4fd9388b17

0x2. Vulnerability Analysis

The vulnerable contract belongs to MetaPool, which has been discussed in detail in the previous blog. In short, MetaPool was originally designed by Curve to allow a single coin to be pooled with all the coins in another (base) pool without diluting its liquidity. It’s essentially a pool consisting of a stable-coin and a LP token of the base pool, which consists of several other stable-coins. There is a concern for the MetaPool design, i.e., the MetaPool is basically a stable-coin pool maintaining prices for stable-coins, while the LP token of a base stable-coin pool is NOT a stable-coin.

0x3. The Original Attack Method of the Nerve Bridge Incident

We re-use the below figure (see the the previous blog) to review the original attack method.

0x4. The New Attack Method of the Saddle Finance Incident

The attacker of the recent Saddle Finance Incident used a different way to attack the same vulnerable swap function without involving the swapUnderlying function. Here we take one attack transaction as a concrete example to illustrate the process.

0x4.1 The Pricing Mechanism

The MetaPool of Saddle Finance inherits Curve’s pricing formula:

  • Step I: Put the current pool’s reserves (x0​ and x1​) into the formula to calculate the current D, which determines the current price curve.
  • Step II: Let the x0​ increase dx0​, and put the current D and x0​ into the formula to calculate the new x1​.
  • Step III: Then, dx1​ is the difference between the new x1​ and the old x1​.

0x4.2 The Attack Analysis

To analyze the reason of the profit, we deployed the vulnerable and fixed MetaSwapUtils libraries locally and used the state of the victim pool at that moment to simulate the attack. Furthermore, during this simulation, we also recorded a few values that can help to understand the attack process, i.e., A is 10,000, x_sUSD​ is 8,130,463, x_saddleUSD​ is 9,688,608, and D is 17,818,392 at that moment.

  • Swap-I: swap 14,800,272 sUSD for 9,657,586 saddleUSD
  • Swap-II: swap 9,657,586 saddleUSD for 16,860,043 sUSD
  • ①: Swap 14,800,272 sUSD for 9,625,654 saddleUSD. Now, D is increased as 17,931,435 (due to the charged fees).
  • ②: Since the vulnerable MetaPool does not scale down the amount of exchanged saddleUSD, the pool losses 31,932 saddleUSD. The losses decrease D as 15,736,195, which further shifts the price curve down (from the black curve to the gray one).
  • ③: Since the price curve is shifted down, the same 9,625,654 saddleUSD can swap out 16,891,906 sUSD that is far more than the cost: 14,800,272 sUSD.
  • ④: Since the vulnerable MetaPool does not scale up the amount of incoming saddleUSD before calculating the price, there is 31,863 sUSD left in the MetaPool, which shifts the price curve up (from the gray curve to the blue one). Nevertheless, the pair of swaps still profits 2,059,771 sUSD.

0x5. Some Take Away

The investigation suggests that the root cause for the profits in the two incidents is the same. Specifically, the first swap (which swaps for the LP token) decreases D of the vulnerable MetaPool, which further shifts its price curve down. That shifting greatly affects the subsequent pricing and is the main reason for the subsequent profit.

About BlockSec

The BlockSec Team focuses on the security of the blockchain ecosystem, and collaborates with leading DeFi projects to secure their products. The team is founded by top-notch security researchers and experienced experts from both academia and industry. They have published multiple blockchain security papers in prestigious conferences, reported several zero-day attacks of DeFi applications, and released detailed analysis reports of high-impact security incidents.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store



The BlockSec Team focuses on the security of the blockchain ecosystem and the research of crypto hack monitoring and blocking, smart contract auditing.