About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Different parsers, different results- 1054

NnezPosted 3 Years Ago
  • Gearbox is a composable leverage protocol. It allows a user to take leverage on collateral asset and use the borrowed funds through CreditAccount across DeFi. A common functionality for every lending and borrowing platform is a simple health check. This helps check is a users account is solvent or not.
  • How do users get their funds? There are routers (adapters) for every protocol, such as Uniswap and Curve. There is a sanity check at the beginning of the router that parses the user input for what tokens to swap. On UniswapV3, this same information for the path is parsed as well. However, this parsing is done slightly differently from a byte array.
  • Gearbox takes the byte array and parses the first 20 bytes as token A. It then takes the FINAL 20 bytes and parses this as token B. For Uniswap, it returns the first 20 bytes for token A, the next 3 bytes as the fee and the next 20 bytes as Token B. The big difference here is the parsing in token B because of the little fee in there!
  • The author came up with the following payload: 
    abi.encodePacked(WBTC, poolFee, WETH, DAI)
  • Token A will always be WBTC. However, for Gearbox, token B will be DAI and Uniswap will see DAI. This discrepancy means that the health check for Gearbox can be bypassed.
  • To launch this attack, the author performed the following steps:
    1. Deploy a fake token on Uniswap. Make the pool 1fake=1WETH=0.0000000000001WBTC
    2. Provide a small amount of liquidity for our fake token with both WBTC and WETH with a big exchange rate.
    3. Make a swap payload with our fake token and WBTC. The sanity check will be on the pool for fake token and WBTC, while the actual money will be taken from WETH. abi.encodePacked(WBTC, poolFee, fake, poolFee, WETH).
    4. This results in an attacker swap for the ratio of the fake token to the other tokens. For instance, 1WETH for 0.0000000000001WBTC.
    5. Hint their fake token and claim they lost a bunch of WETH from the pool.
  • Overall, a super interesting bug! The path variable is a commonly used pattern for swaps. So, this is something to watch out for and something I've looked for in the past.

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed