The analysis of the Zerogoki attack

On Aug 08 2021 (Beijing Time, block height 12982491), Zerogoki was attacked, which caused a loss of 670K USD. After the investigation, we found that it’s related to the compromised price oracle. The attacker provides a price oracle signed by legitimate private keys, which contain crafted number of tokens to be swapped. However the reason why the attacker can construct a valid signature is unknown yet.

Code analysis

We first performed an analysis on the attacked contract (0x80ecdb90).

The swap function calls decode_op to obtain the information in the oracle. After performing the validation, the contract then burns the ns[0] x.token, mints ns[1] y.token and pays the swap fee to the GOV contract.

From the implementation of the decode_op, there exists SIGNATURENUM (three) signatures in the parameter. These signatures need to be checked (and authorization) before performing the token swap (burning and minting).

In summary, the first parameter ns of the swap function defines the number of tokens to be swapped. The second parameter contains the signatures that need to be validated. When the validation passes, the number of tokens swapped is defined in the first parameter (ns).

Attack Analysis

In the attack transaction, 0x81e5f715, the attacker constructed a message contains valid signatures and passed a crafted ns parameter (which contains a large number of zUSD). As a result, the attacker used 300 REI to swap 700k zUSD.

Three addresses that are collated with the signatures are:

0x0d93A21b4A971dF713CfC057e43F5D230E76261C
0x3054e19707447800f0666ba274a249fc9a67aa4a
0x4448993f493b1d8d9ed51f22f1d30b9b4377dfd2

However, we do not have information why the private keys of these addresses have been leaked, at the current stage.