The analysis of Nerve Bridge Security Incident

0x.1 Preface

Figure 1: an example of attack transaction

0x2. Background

0x2.1 What is MetaPool?

Figure 2: Neve.3pool

0x2.2 Source of the Vulnerable Code

Figure 3: attack transactions targeting Synapse
  • MetaSwap: 0xd0fBF0A224563D5fFc8A57e4fdA6Ae080EbCf3D3
  • MetaSwapUtils: 0x91d1DBE983fBCbBAC198D5310f1d0C249bb54E65

0x3. Vulnerability Analysis

swap: _calculateSwap function
swapUnderlying: _calculateSwapUnderlying function

0x4. Attack Analysis

Figure 6: the five attack steps
  • Step 1: borrowing 50,000 BUSD using Flashloan from Fortube
  • Step 2: swapping 50,000 BUSD for 50,351 fUSDT from Ellipsis.
  • Step 3: invoking the swap function of MetaSwap to swap 50,351 fUSDT for 36,959 Nerve 3-LP with a relatively big slippage.
  • Step 4: invoking the removeLiquidityOneCoin function of Nerve.3pool with the LP tokens (received in the previous step) to remove the liquidity of BUSD, i.e., 37,071 BUSD.
  • Step 5: invoking the swapUnderlying function of MetaSwap to swap BUSD for fUSDT, and receiving 51,494 fUSDT.

Reference

--

--

--

A Blockchain Security and Data Company.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Earnmos Partners with Kinesis

No Bull. This Bitcoin Halving Bull Cycle Is Slowing Down.

$AFIN Liquidity Providers Incentive Program — Now Live!

KDG COMPLETED SWAP TO BEP-20 MAINNET

Roadmap Update v2.0

How to make money on crypto mining?

FudmartSwap Trading Competition

Chinese Litecoin community’s PZ: something you don’t know about Global LTC Roundtable

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
BlockSec

BlockSec

A Blockchain Security and Data Company.

More from Medium

Knownsec Blockchain Lab | bHOME Reentry Attack Event Analysis

Dopple Finance’s $KUSD and Synthetic Assets Manual Minting Analysis

New Integer Overflow Bug Discovered in Solana rBPF

DeFi Security Lecture 3— Sandwich Attacks