The Analysis of the Array Finance Security Incident

Figure 1
Figure 2
  • First, the attacker invoked the buy function of the Array Finance. The attacker gained 430 ARRAY tokens minted by the Array Finance using 45.91 WETH.
  • Then the attacker invoked the joinPool function of a closed source contract (Array Collater - 0xa800cda5) five times. He/she deposited 676,410.58 DAI + 679,080.46 USDC + 901.82 WETH + 20 WBTC + 20 renBTC and gained 726.38 aBPT tokens minted by Array Collater.
  • The attacker invoked the sell function to burn 430 ARRAY tokens and got 77.17 aBPT tokens.
  • At last, the attacker invoked the exitPool function of the Array Collater. He/she burned 804.55 aBPT tokens obtained in previous two steps and obtained 748,271.55 DAI + 751,225.08 USDC + 997.62 WETH + 22.63 WBTC + 22.74 renBTC.

Summary

In summary, the attacker exploits the vulnerability that the price mechanism of the Array Finance depends on the totalSupply of the aBPT token, which is manipulatable. The vulnerability has been discussed in our research paper DeFiRanger: Detecting Price Manipulation Attacks on DeFi Applications.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
BlockSec

BlockSec

The BlockSec Team focuses on the security of the blockchain ecosystem and the research of crypto hack monitoring and blocking, smart contract auditing.