Overview:

On July 10, 2023, ArcadiaFi experienced a significant security breach due to a lack of trusted input validations and reentrancy protection resulting in a loss of ~460K USD.

Smart Contract Hack Overview:

• Attackers address(Optimism):0xd3641c
• Attackers address(Ethereum): 0x5c75e9
• Vulnerable contract: 0x3ae354
• Attack Transaction(Optimism): 0xca7c1a
• Attack Transaction(Ethereum): 0xefc4ac

Fig: Attack Transaction(Optimism)

Fig: Attack Transaction(Ethereum)

Decoding the Smart Contract Vulnerability:

• The hacker began by manipulating the vaultManagementAction function, which was crucial for allowing ArcadiaFi to interact with other DeFi protocols and controlling the flow of assets.
• A malicious contract was crafted by the attacker and injected into the vaultManagementAction function. This was accomplished by providing the address of the malicious contract in the actionHandler argument.
• Through the vaultManagementAction function, the attacker redirected all the assets to their own malicious contract by calling the nested _withdraw function.
• After successfully redirecting all assets under their control, the attacker focused on the liquidateVault function. This function was typically triggered during emergencies, such as unhealthy collaterals, to safeguard the assets of the protocol.
• The attacker cleverly tricked the system into initiating the liquidateVault function even though there was no actual emergency. This was possible because they were able to set the “isTrustedCreditorSet” global variable to false. During reentrancy, the value of the flag was not updated yet, effectively bypassing the normal collateral health check.
• By bypassing the emergency conditions, the attacker was able to trigger the liquidateVault function. Since no reentrancy guard was in place, the attacker could repeatedly call the function, resulting in the instant liquidation of the vault.
• The last part of the attack involved manipulating the executeAction function. This function was important as it enabled transactions or interactions with other smart contracts.
• The attacker abused the executeAction function to carry out unauthorized transactions. These transactions drained the funds from the vaults and redirected them into the control of the attacker.

Fig: The root cause of the vulnerability

Mitigation and Best Practices:

• It is recommended to implement thorough input validation checks, including data type, range, and format checking, access control, and other techniques, in the smart contract’s code.
• Use reentrancy-preventive function modifiers, such as Open Zepplin’s Re-entrancy guard
• Always make sure that any state changes occur internally first, such as updating balances or calling internal functions before calling external code.
• Always validate your code by writing comprehensive test cases that cover all the possible business logic.
• To prevent such vulnerabilities, the best Smart Contract auditors must examine the Smart Contracts for logical issues. We at Caligo provide smart contract security and end-to-end security of web applications and externally exposed networks. Schedule a call at https://caligosec.com/
• Scan your Solidity contracts against the latest common security vulnerabilities with 130+ detections at Caligo

Caligo — Smart Contract Vulnerability Scanner

Conclusion:

Caligo is an advanced smart-contract scanning tool that discovers vulnerabilities and reduces risks in code. Request a security audit with us, and we will help you secure your smart contracts.

Follow us on our Social Media for Web3 security-related updates.
Caligo Security — LinkedIn | Twitter | Telegram