Loopring(LRC) Protocol Incident

LRC Protocol Fee Vault

Details

  • Step 1: Take a flash loan of 3773.88 ETH from 0xEB7e…
  • Step 2: Swap 3773.88 ETH to 5014.68 LRC at Uniswap V1-LRC. And the rate in this trade is: 1 ETH = 1.32878 LRC
  • Step 3: Swap 0.231 ETH fee stored at LRCFV to 0.000219 LRC at Uniswap V1-LRC pool by invoking sellTokenForLRC(As mentioned previously, the attacker is not supposed to invoke sellTokenForLRC). However, based on the price calculation algorithm used at Uniswap V1-LRC, the price of LRC against ETH at Uniswap V1-LRC increases dramatically. And this rate of this trade is: 1 ETH = 0.00094 LRC
  • Step 4: Swap 5014.68 LRC to 3774.09 ETH at Uniswap V1-LRC. Based on step 3, only a few of LRC is swapped at Uniswap V1-LRC. This action makes LRC more valuable against ETH at Uniswap V1-LRC. Therefore, compared to step 1, the attacker gets 3773.88 ETH by swapping 5014.68 LRC at Uniswap V1-LRC and gains extra 0.215 ETH as a profit
  • Step 5: Return 3773.88 ETH flash loan
  • Step 6: Send 0.215 ETH to attacker’s address(EOA)

The scale of the attack

The end

Timeline

  • 2020/11/30:Suspicious transactions were found.
  • 2020/12/01: Finished the analysis.
  • 2020/12/02: Reported to loopring.
  • 2020/12/03: Vulnerability was confirmed and the fix is online.
  • 2020/12/03: Details were released.
  • 2021/01/03: CVE-2020–35962 is assigned.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store