How to exploit the same vulnerability of MetaPool in two different ways (Nerve Bridge / Saddle Finance) — What you see is not what you get

0x1. About the Deployed Contracts

  • The victim MetaSwap contract: 0x824dcd7b044d60df2e89b1bb888e66d8bcf41491
  • The vulnerable MetaSwapUtils contract: 0x88Cc4aA0dd6Cf126b00C012dDa9f6F4fd9388b17

0x2. Vulnerability Analysis

0x3. The Original Attack Method of the Nerve Bridge Incident

0x4. The New Attack Method of the Saddle Finance Incident

0x4.1 The Pricing Mechanism

  • Step I: Put the current pool’s reserves (x0​ and x1​) into the formula to calculate the current D, which determines the current price curve.
  • Step II: Let the x0​ increase dx0​, and put the current D and x0​ into the formula to calculate the new x1​.
  • Step III: Then, dx1​ is the difference between the new x1​ and the old x1​.

0x4.2 The Attack Analysis

  • Swap-I: swap 14,800,272 sUSD for 9,657,586 saddleUSD
  • Swap-II: swap 9,657,586 saddleUSD for 16,860,043 sUSD
  • ①: Swap 14,800,272 sUSD for 9,625,654 saddleUSD. Now, D is increased as 17,931,435 (due to the charged fees).
  • ②: Since the vulnerable MetaPool does not scale down the amount of exchanged saddleUSD, the pool losses 31,932 saddleUSD. The losses decrease D as 15,736,195, which further shifts the price curve down (from the black curve to the gray one).
  • ③: Since the price curve is shifted down, the same 9,625,654 saddleUSD can swap out 16,891,906 sUSD that is far more than the cost: 14,800,272 sUSD.
  • ④: Since the vulnerable MetaPool does not scale up the amount of incoming saddleUSD before calculating the price, there is 31,863 sUSD left in the MetaPool, which shifts the price curve up (from the gray curve to the blue one). Nevertheless, the pair of swaps still profits 2,059,771 sUSD.

0x5. Some Take Away

About BlockSec




A Blockchain Security and Data Company.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

{UPDATE} Monster Truck Road Race-r Rally Hack Free Resources Generator

Virtual Reality: The New Tech With Frightening Insight into Our Psyches and Identities

The Contrast Between ‘Low & Slow’ and DDoS Attacks

Bid for carving up 1,000,000 CVT on CROSS


{UPDATE} How's your FORCE? Hack Free Resources Generator

{UPDATE} Ball Bang Hack Free Resources Generator

GDPR can foster innovation and breed new business models

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


A Blockchain Security and Data Company.

More from Medium

VaaS — Automatic detection tool , make your smart contract secure in Web3.0

Lunaray Security Scan Report

LI.FI Attack: a Cross-chain Bridge Vulnerability? No, It’s Due to Unchecked External Call!

Paraluni Incident Analysis