Sleight of Hand

behind-the-code@newsletter.paragraph.com (Behind the Code) — Tue, 30 Jan 2024 21:39:21 GMT

The stablecoin Abracadabra.money (MIM) experienced another significant exploit early on January 30th, resulting in a flash crash to $0.76. This exploit was revealed by blockchain security company PeckShield, which indicated that the attacker's funds originated from Tornado Cash. Based on an Etherscan Screenshot shared by PeckShield, the attack specifically targeted Abracadabra's 'Degenbox' feature, which automatically executes performance-enhancing strategies.

Abracadabra's Degenbox

The hacker swapped $7 Million of MIM for a total of $6.3 Million in ETH, incurring around 10% slippage when they dumped it on Curve. They’re now holding the ETH in two addresses:

0x40d5FFA20fC0dF6bE4D9991938dAa54E6919c714 ($4.15M ETH)

0xbD12D6054827ae3fc6D23B1aCf47736691b52Fd3 ($2.16M ETH)

BlockSec Phalcon detected the ongoing assaults on Abracadabra.money, mostly targeting MIM and posted it on Twitter. @MageIntern from Offside Labs offered a play by play of the situation on Twitter account:

“We noticed an attack transaction targeting @MIM_Spell that was highlighted by @blocksecteam, and we initiated our own analysis. Using @Phalcon_xyz, we spotted an unusual pattern in the transaction flow. The attacker kept borrowing and repaying just 1 token, yet the part value kept growing exponentially.

Digging into the CauldronV4 contract's borrow function, we found that part represents a user's share of the borrowed amount in the total debt. Strangely, the attacker managed to repay everyone's debt, setting totalBorrow.elastic to zero. But due to what seems like rounding errors, totalBorrow.base didn't drop to zero but stayed at 6

This discrepancy between elastic and base wasn't accounted for by the RebaseLibrary. By borrowing and repaying a single token repeatedly, part ballooned to a massive number. Consequently, the final debt calculation became incorrect, with the borrowed part being minuscule relative to the total debt parts. This allowed the attacker to drain all liquidity from the pool.”

In the latest security update from MIM, the initial findings suggest, no user collateral was at risk, the issue was fully mitigated and the funds are being tracked by Chainalysis. Preliminary findings indicate the exploit targeted specific Cauldrons V3 & V4, allowing unauthorized MIM borrowing. We’ve mitigated the issue by setting borrowing limits to zero for these cauldrons.

MIM have reached out to the attacker via an on-chain message, offering a chance to return the funds and qualify for a bug bounty:

“Hello, we are addressing the recent security issue you identified in our system. We re inclined to believe your actions were motivated by white hat intentions, and we re keen to engage in a dialogue about the situation. For mutual assurance, we kindly ask that you provide an on-chain signature along with your initial response. This will confirm we re communicating with the correct party. Please contact us at reward@abracadabra.money to discuss the matter further.”

AbracadabraDAO treasury address can be found here:

https://app.safe.global/home?safe=eth:0xDF2C270f610Dc35d8fFDA5B453E74db5471E126B

A detailed post mortem will be shared in the coming days, providing insights into the incident and future preventative measures.

Behind the Code

The Ultimate List of Crypto Job Boards

Crypto Job Boards across the space:

Jobs at Security Research Companies (AKA Smart Contract Auditing):

Sleight of Hand