Around 12:46 UTC on March 5th, 2022, a contract on the Ethereum mainnet exploited a previously unknown reentrancy in the bHOME Pan Lend method. The BaconCoin team was alerted, found the issue, and patched the contract within three hours of the initial exploit. The BaconCoin team quickly re-audited the contract and is also working with new, outside auditors to thoroughly verify the contracts.
Because most of the value of bHOME is held in the value of real-world homes and loans, only a small percentage of the total value was at risk. The funds at risk were only the amount held back in the Pan by the AMM for liquidity to bHOME holders. The loans, homes, and borrowers that maintain the core of bHOME’s value were naturally not affected by this event. This event showed the power of bHOME to bring real-world stability to crypto even in the face of a smart contract exploit.
The exploit contract convinced the Pan into sending 957,166 USDC out of the protocol. A second exploit was prevented by a white hat group who returned the 34,232 USDC they received. These changes caused the price of bHOME to temporarily unpeg and decrease to $0.86.
As of March 6th, the BaconCoin team has deposited 991,441 USDC into the BaconCoin multi-sig at
https://etherscan.io/address/0xa42f6FB68607048dDe54FCd53D2195cc8ca5F486
that will be used to recapitalize the protocol. The protocol will be controlled manually by the BaconCoin team for a short time while the event is further investigated and any necessary contract changes are found and made.
To reduce the risk of loss of value in the future, changes will be proposed to simplify the protocol and reduce the amount of value held directly in the smart contracts. BaconCoin team has always felt that relying on battle tested systems already in the ecosystem to keep the BaconCoin-specific footprint as small and simple as possible is the best way to reduce smart contract risk.
Complete new audits with a new smart contract auditor and fix any issues quickly.
Open source the contract code to get extra inspection from the security community.
Create a new bug bounty program to create incentive for community devs to report major issues.
The community has started a proposal for the BaconCoin DAO to partner with a smart contract insurer.
Convert bHOME and BACON to pure ERC-20s from ERC-777.
Change the protocol to not hold as much USDC in the Pan and hold higher percentage of value off-chain in real-world homes.
Make bHOME a pure stable coin and use existing exchanges (DEX and CEX) to handle USDC/bHOME transactions. bHOME returns would be received by staking and claiming.
Publish a detailed roadmap with more specifics about the changes and their timeline.
On Mar 5th, 2022 at 12:46 PM UTC in transaction 0x7d22…cf31, a newly deployed contract exploited the bHOME Pan's Lend & Redeem functions.
The immediate cause of the exploit was the Lend function issuing bHOME tokens before properly recalculating and setting the poolLent variable which tracks the amount of money in the Pan. See on line 3 of the function that poolLent is updated after the bHOME tokens are minted and sent to the receiver. poolLent contains the TVL of the contract and is used to calculate the price of bHOME that is used during deposit and withdraw operations.
The exploit contract used a 6,360,000 USDC flash loan to make three equal Lend calls of 2,120,000 each. As soon as one Lend call had minted bHOME to the attacker, another Lend was sent before the poolLent variable was updated. This effected the bHOME price calculation on the following Lend calls.
Because the price was calculated as the value of the pool divided by the total supply of bHOME, by calling Lend after the total supply counter had increased but before the value of the pool had, the exploit contract was able to mint a disproportionate number of bHOME tokens. Before the correct bHOME price was resolved, the contract redeemed those bHOME for more USDC than it deposited.
The team quickly went to work and deployed a hotfix to the bHOME contract to update poolLent before minting the new bHOME and updating the total supply. See the updated function here.
The issue with the contract was identified, patched, and thoroughly tested within a few hours of the initial exploit transaction. The team is confident that this issue is no longer exploitable and the contract and protocol are stable and secured.
March 5, 2022
12:46 PM UTC - Transaction 0x7d22…cf31 executed on mainnet and exploited the reentrancy.
12:56 PM UTC - BaconCoin team first alerted to the issue.
1:00 PM UTC - BlockSec identified the exploit and notified Etherscan and others to blacklist the exploit wallet. See https://twitter.com/BlockSecTeam/status/1500093929760632837.
4:33 PM UTC - A second exploit was attempted and preempted by BlockSec’s automated system. See transaction 0xc161....739c which failed because it was preempted by 0xf3bd....bbd1.
4:46 PM UTC - A patch for the issue was deployed to the bHOME contract in transaction 0x1fed….f26a.
8:00 PM UTC - BaconCoin team completed quick reaudit of contracts for other reentrancy issues.
March 6, 2022
Ongoing review, audit, and securing of the contracts with help of outside security and audit teams.
March 7, 2022
2:00 AM UTC - BaconCoin team placed 991,398 USDC into a multisig to be used to recapitalize the protocol.
Week of March 7th
BaconCoin team to continue to review the protocol, recapitalize the contracts, and communicate a roadmap for preventative actions clearly to community.
Reentrancy issue in the Lend method in the bHOME Pan contract.
Use of the ERC-777 standard which calls tokenReceived on untrusted contracts.
The BaconCoin team did not find the reentrancy issue during development, testing, and review.
Failure of the BlockHunter auditors to find the reentrancy issue during two audits.
Holding excess USDC in the Pan smart contract.
Lack of incentive for exploiters to notify the developers or community.
While it is always concerning to have had a contract exploited, this event showed the power of holding the protocol’s value in real-world homes. A small percentage of the TVL was at risk and able to be exploited.
The BaconCoin team worked quickly to secure the contract within hours. Some of the funds have been recovered and the rest are still being sought. In the meantime, the BaconCoin team has deposited the full amount of lost funds in a multi-sig to be used to recapitalize the protocol.
In order to make sure this kind of event never happens again, we are planning changes to simplify the protocol, improve the contract security, reexamine the development process, and involved the community in protecting the protocol. A detailed roadmap will be published in the next few days after careful review.
HomeCoinIntroducing HOM,HMY & HMQ The First Mortgage-Backed Stablecoins on the XRP Ledger
RWA Protocol is announcing the launch of $HOME, the first mortgage-backed stablecoin on the XRP Ledger (XRPL). Built on the RWA protocol, $HOME enables individuals and institutions worldwide to access the stability and cash flows provided by U.S. mortgages. This innovative integration of blockchain technology and the mortgage market opens up new possibilities for homeowners and investors alike. In this blog post, we will delve into the significance of $HOME and its potential to revolutionize ...
HomeCoinIntroducing the BaconCoin token, BACON
The BaconCoin token, BACON, is now live! After lots of input from the community over the last few months and work by the team, we’ve reached a major step along the way towards our mission. We’re all working together to make it easier for people to buy homes and get access to the same mortgages banks and governments use to preserve and grow their wealth. This is also huge step to even more decentralization for the Bacon Protocol. We’re excited to finally have the early adopters and the growing...
HomeCoinNFT Utility and DeFi Composability
A New Era for NFT Utility and DeFi ComposabilityMove over. There's a new cook in the kitchen and he’s bringing the $BACON. One of the most powerful features of Web3 is composability. To boil a huge concept down into a brief summary, “composability” describes the innate ability of open-source blockchain technology to be permissionless-ly built on top of by other projects and developers. This unlocks unprecedented innovation, creating global network effects that have (and will continue to)...
HOME Coin offers DeFi investors the opportunity for consistent yield through a stablecoin backed by home mortgages.
Around 12:46 UTC on March 5th, 2022, a contract on the Ethereum mainnet exploited a previously unknown reentrancy in the bHOME Pan Lend method. The BaconCoin team was alerted, found the issue, and patched the contract within three hours of the initial exploit. The BaconCoin team quickly re-audited the contract and is also working with new, outside auditors to thoroughly verify the contracts.
Because most of the value of bHOME is held in the value of real-world homes and loans, only a small percentage of the total value was at risk. The funds at risk were only the amount held back in the Pan by the AMM for liquidity to bHOME holders. The loans, homes, and borrowers that maintain the core of bHOME’s value were naturally not affected by this event. This event showed the power of bHOME to bring real-world stability to crypto even in the face of a smart contract exploit.
The exploit contract convinced the Pan into sending 957,166 USDC out of the protocol. A second exploit was prevented by a white hat group who returned the 34,232 USDC they received. These changes caused the price of bHOME to temporarily unpeg and decrease to $0.86.
As of March 6th, the BaconCoin team has deposited 991,441 USDC into the BaconCoin multi-sig at
https://etherscan.io/address/0xa42f6FB68607048dDe54FCd53D2195cc8ca5F486
that will be used to recapitalize the protocol. The protocol will be controlled manually by the BaconCoin team for a short time while the event is further investigated and any necessary contract changes are found and made.
To reduce the risk of loss of value in the future, changes will be proposed to simplify the protocol and reduce the amount of value held directly in the smart contracts. BaconCoin team has always felt that relying on battle tested systems already in the ecosystem to keep the BaconCoin-specific footprint as small and simple as possible is the best way to reduce smart contract risk.
Complete new audits with a new smart contract auditor and fix any issues quickly.
Open source the contract code to get extra inspection from the security community.
Create a new bug bounty program to create incentive for community devs to report major issues.
The community has started a proposal for the BaconCoin DAO to partner with a smart contract insurer.
Convert bHOME and BACON to pure ERC-20s from ERC-777.
Change the protocol to not hold as much USDC in the Pan and hold higher percentage of value off-chain in real-world homes.
Make bHOME a pure stable coin and use existing exchanges (DEX and CEX) to handle USDC/bHOME transactions. bHOME returns would be received by staking and claiming.
Publish a detailed roadmap with more specifics about the changes and their timeline.
On Mar 5th, 2022 at 12:46 PM UTC in transaction 0x7d22…cf31, a newly deployed contract exploited the bHOME Pan's Lend & Redeem functions.
The immediate cause of the exploit was the Lend function issuing bHOME tokens before properly recalculating and setting the poolLent variable which tracks the amount of money in the Pan. See on line 3 of the function that poolLent is updated after the bHOME tokens are minted and sent to the receiver. poolLent contains the TVL of the contract and is used to calculate the price of bHOME that is used during deposit and withdraw operations.
The exploit contract used a 6,360,000 USDC flash loan to make three equal Lend calls of 2,120,000 each. As soon as one Lend call had minted bHOME to the attacker, another Lend was sent before the poolLent variable was updated. This effected the bHOME price calculation on the following Lend calls.
Because the price was calculated as the value of the pool divided by the total supply of bHOME, by calling Lend after the total supply counter had increased but before the value of the pool had, the exploit contract was able to mint a disproportionate number of bHOME tokens. Before the correct bHOME price was resolved, the contract redeemed those bHOME for more USDC than it deposited.
The team quickly went to work and deployed a hotfix to the bHOME contract to update poolLent before minting the new bHOME and updating the total supply. See the updated function here.
The issue with the contract was identified, patched, and thoroughly tested within a few hours of the initial exploit transaction. The team is confident that this issue is no longer exploitable and the contract and protocol are stable and secured.
March 5, 2022
12:46 PM UTC - Transaction 0x7d22…cf31 executed on mainnet and exploited the reentrancy.
12:56 PM UTC - BaconCoin team first alerted to the issue.
1:00 PM UTC - BlockSec identified the exploit and notified Etherscan and others to blacklist the exploit wallet. See https://twitter.com/BlockSecTeam/status/1500093929760632837.
4:33 PM UTC - A second exploit was attempted and preempted by BlockSec’s automated system. See transaction 0xc161....739c which failed because it was preempted by 0xf3bd....bbd1.
4:46 PM UTC - A patch for the issue was deployed to the bHOME contract in transaction 0x1fed….f26a.
8:00 PM UTC - BaconCoin team completed quick reaudit of contracts for other reentrancy issues.
March 6, 2022
Ongoing review, audit, and securing of the contracts with help of outside security and audit teams.
March 7, 2022
2:00 AM UTC - BaconCoin team placed 991,398 USDC into a multisig to be used to recapitalize the protocol.
Week of March 7th
BaconCoin team to continue to review the protocol, recapitalize the contracts, and communicate a roadmap for preventative actions clearly to community.
Reentrancy issue in the Lend method in the bHOME Pan contract.
Use of the ERC-777 standard which calls tokenReceived on untrusted contracts.
The BaconCoin team did not find the reentrancy issue during development, testing, and review.
Failure of the BlockHunter auditors to find the reentrancy issue during two audits.
Holding excess USDC in the Pan smart contract.
Lack of incentive for exploiters to notify the developers or community.
While it is always concerning to have had a contract exploited, this event showed the power of holding the protocol’s value in real-world homes. A small percentage of the TVL was at risk and able to be exploited.
The BaconCoin team worked quickly to secure the contract within hours. Some of the funds have been recovered and the rest are still being sought. In the meantime, the BaconCoin team has deposited the full amount of lost funds in a multi-sig to be used to recapitalize the protocol.
In order to make sure this kind of event never happens again, we are planning changes to simplify the protocol, improve the contract security, reexamine the development process, and involved the community in protecting the protocol. A detailed roadmap will be published in the next few days after careful review.
HomeCoinIntroducing HOM,HMY & HMQ The First Mortgage-Backed Stablecoins on the XRP Ledger
RWA Protocol is announcing the launch of $HOME, the first mortgage-backed stablecoin on the XRP Ledger (XRPL). Built on the RWA protocol, $HOME enables individuals and institutions worldwide to access the stability and cash flows provided by U.S. mortgages. This innovative integration of blockchain technology and the mortgage market opens up new possibilities for homeowners and investors alike. In this blog post, we will delve into the significance of $HOME and its potential to revolutionize ...
HomeCoinIntroducing the BaconCoin token, BACON
The BaconCoin token, BACON, is now live! After lots of input from the community over the last few months and work by the team, we’ve reached a major step along the way towards our mission. We’re all working together to make it easier for people to buy homes and get access to the same mortgages banks and governments use to preserve and grow their wealth. This is also huge step to even more decentralization for the Bacon Protocol. We’re excited to finally have the early adopters and the growing...
HomeCoinNFT Utility and DeFi Composability
A New Era for NFT Utility and DeFi ComposabilityMove over. There's a new cook in the kitchen and he’s bringing the $BACON. One of the most powerful features of Web3 is composability. To boil a huge concept down into a brief summary, “composability” describes the innate ability of open-source blockchain technology to be permissionless-ly built on top of by other projects and developers. This unlocks unprecedented innovation, creating global network effects that have (and will continue to)...
HOME Coin offers DeFi investors the opportunity for consistent yield through a stablecoin backed by home mortgages.
Share Dialog
Share Dialog
Subscribe to HomeCoin
Subscribe to HomeCoin
<100 subscribers
<100 subscribers
No activity yet