The analysis of Nerve Bridge Security Incident

By BlockSec

0x.1 Preface

Figure 1: an example of attack transaction

As of this writing, the attacker has exhausted the liquidity of fUSDT and UST of Nerve’s staking pools, and gained 900 BNB profit.

Surprisingly, we found that the vulnerable code is forked from Saddle.Finance, which already led to 8M$ loss of Synapse Bridge on Nov 6th, 2021. Specifically, the root cause of the vulnerability comes from the inconsistent implementation of calculating exchange amount of tokens in different libraries.

However, there does NOT exist any public available report to analyze this security incident. As such, in this blog, we aim to provide a comprehensive analysis, including the mechanism of the project, the vulnerability and the attack.

0x2. Background

0x2.1 What is MetaPool?

As such, MetaPool is proposed to address this problem. As stated by Curve [2], “it allows a single coin to be pooled with all the coins in another (base) pool without diluting its liquidity’’. It is essentially a swap pool between a stablecoin and a LP token of a Stand StableSwap Pool (which consists of several other stablecoins). In our context, we call these two types of stablecoins as pool stablecoin and underlying stablecoin, respectively.

For example, one victim of this incident is just the MetaPool of fUSDT and LP token of Nerve.3pool (including BUSD, USD and USDC), and the structure of this pool is essentially [fUSDT, LP token of (BUSD, USD, USDC)]. Thus fUSDT is the pool stablecoin, while BUSD, USD and USDC are the underlying stablecoins.

Figure 2: Neve.3pool

0x2.2 Source of the Vulnerable Code

Figure 3: attack transactions targeting Synapse

Around $8.2M funds were drained from the MetaPool, while no funds were actually lost due to a ``silly’’ mistake made by the attacker [3].

After that, Saddle.Finance took an emergency action to guarantee the safety of their funds by pausing all the MetaPool contracts. However, Nerve Bridge did not take any action, which inevitably led to this security incident.

The relevant contract addresses are listed in the following:

  • MetaSwap: 0xd0fBF0A224563D5fFc8A57e4fdA6Ae080EbCf3D3
  • MetaSwapUtils: 0x91d1DBE983fBCbBAC198D5310f1d0C249bb54E65

0x3. Vulnerability Analysis

swap: _calculateSwap function
swapUnderlying: _calculateSwapUnderlying function

However, the two functions are implemented inconsistently. As shown in the above two figures. The code snippet in the red rectangle is used to adjust the value of the LP token by measuring the “virtual price” of a LP token (which increases from a baseline value of 1 as more fees come). Meanwhile the swap function ignores the impact of the virtual price, which means the value of the LP token will be underestimated. In other words, more LP tokens could be swapped out.

As a result, it is possible to harvest more pool stablecoins by first fetching back the liquidity of the underlying stablecoins with the corresponding LP token, and then swapping pool stablecoins by invoking the swapUnderlying function.

0x4. Attack Analysis

Figure 6: the five attack steps

Figure 6 shows that the attacker took the following five steps to launch the attack:

  • Step 1: borrowing 50,000 BUSD using Flashloan from Fortube
  • Step 2: swapping 50,000 BUSD for 50,351 fUSDT from Ellipsis.
  • Step 3: invoking the swap function of MetaSwap to swap 50,351 fUSDT for 36,959 Nerve 3-LP with a relatively big slippage.
  • Step 4: invoking the removeLiquidityOneCoin function of Nerve.3pool with the LP tokens (received in the previous step) to remove the liquidity of BUSD, i.e., 37,071 BUSD.
  • Step 5: invoking the swapUnderlying function of MetaSwap to swap BUSD for fUSDT, and receiving 51,494 fUSDT.

The attacker repeatedly execute the above five steps (around 200+ transactions) to drain the liquidity of the MetaPool, and finally harvested 900 BNB.

Interestingly, the attacker just adopted the same approach used in the Synapse incident, which is not an optimized way to achieve the goal. Alternatively, it is possible launch attacks more efficiently, e.g., applying optimized parameters to drain the liquidity in one transaction. The result suggests that the attacker might NOT fully understand the root cause of this vulnerability.




Credits: Hailin Wang, Lei Wu, Yajin Zhou @BlockSec




Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store

The BlockSec Team focuses on the security of the blockchain ecosystem and the research of crypto hack monitoring and blocking, smart contract auditing.