How to exploit the same vulnerability of MetaPool in two different ways (Nerve Bridge / Saddle Finance) — What you see is not what you get

0x1. About the Deployed Contracts

  • The victim MetaSwap contract: 0x824dcd7b044d60df2e89b1bb888e66d8bcf41491
  • The vulnerable MetaSwapUtils contract: 0x88Cc4aA0dd6Cf126b00C012dDa9f6F4fd9388b17

0x2. Vulnerability Analysis

0x3. The Original Attack Method of the Nerve Bridge Incident

0x4. The New Attack Method of the Saddle Finance Incident

0x4.1 The Pricing Mechanism

  • Step I: Put the current pool’s reserves (x0​ and x1​) into the formula to calculate the current D, which determines the current price curve.
  • Step II: Let the x0​ increase dx0​, and put the current D and x0​ into the formula to calculate the new x1​.
  • Step III: Then, dx1​ is the difference between the new x1​ and the old x1​.

0x4.2 The Attack Analysis

  • Swap-I: swap 14,800,272 sUSD for 9,657,586 saddleUSD
  • Swap-II: swap 9,657,586 saddleUSD for 16,860,043 sUSD
  • ①: Swap 14,800,272 sUSD for 9,625,654 saddleUSD. Now, D is increased as 17,931,435 (due to the charged fees).
  • ②: Since the vulnerable MetaPool does not scale down the amount of exchanged saddleUSD, the pool losses 31,932 saddleUSD. The losses decrease D as 15,736,195, which further shifts the price curve down (from the black curve to the gray one).
  • ③: Since the price curve is shifted down, the same 9,625,654 saddleUSD can swap out 16,891,906 sUSD that is far more than the cost: 14,800,272 sUSD.
  • ④: Since the vulnerable MetaPool does not scale up the amount of incoming saddleUSD before calculating the price, there is 31,863 sUSD left in the MetaPool, which shifts the price curve up (from the gray curve to the blue one). Nevertheless, the pair of swaps still profits 2,059,771 sUSD.

0x5. Some Take Away

About BlockSec

--

--

--

A Blockchain Security and Data Company.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

How Do I Protect Myself From Data Breaches?

Mailchimp backtracks on all their recommendations, enforcing single opt-in

{UPDATE} Feed And Grow Fish Minion Life Hack Free Resources Generator

HTB: SolidState Writeup w/o Metasploit

How to Get Rid of Launchpage.org? — Browser Hijacker Removal Guide

{UPDATE} Op naar de top Hack Free Resources Generator

Another OSCP-like Box: Legacy

5 Easy Steps to Secure Your WordPress Website

5 Easy Steps to Secure Your WordPress Website

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
BlockSec

BlockSec

A Blockchain Security and Data Company.

More from Medium

CARE a (pre)security audit of Sushi’s BentoBox Strategies

Detailed explanation of Ethereum smart contract vulnerabilities  — — On-chain vulnerability…

Damn Vulnerable DeFi Challenge #1 — Unstoppable

SWC-100 | Function Default Visibility