About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

TrueUSD <--> Compound Vulnerability- 1061

ChainSecurityPosted 3 Years Ago
  • TrueUSD is a stablecoin backed by the USD dollar. Recently, ChainSecurity did an audit of the Compound cToken contract, which uncovered a new vulnerability.
  • The concept of Double-Entry Point Tokens is having several contracts that both interact with the same balances. In the case of TrueUSD, this was the case because of a previous legacy version. Practically, the legacy contract just forwards any calls to the primary contract; altering the price in one should alter the price of the other. Works perfectly!
  • The Compound protocol has cTokens. These are the liquidity provider tokens from the protocol. Within Compound, a function called sweepToken was implemented. This is for rescuing funds that were accidentally sent to a contract managing a specific underlying token. This function can called by anyone but the tokens are sent to the admin so it shouldn't matter.
  • sweepToken has a sanity check to ensure that the address of the token we are trying to recover does NOT equal the underlying token of the cToken contract. This is because being able to send out arbitrary tokens that back the cToken contract would destroy the protocol.
  • Remember how there are TWO entry points with TrueUSD though? Since either of these addresses can be specified in the sweepToken call, we can bypass this sanity check with the legacy version address. This means that the entirety of the balance of the underlying token can be sent to the Admin. Why is this bad? Finance calculations!
  • The exchange rate of the cTUSD is as follows: 
    (totalCash + totalBorrows - totalReserves) / totalSupply
    The variables above are:
    • totalCash:T otal amount of TUSD in the contract.
    • totalBorrows: Amount of TUSD currently borrowed from the contract.
    • totalReserves: Amount of TUSD that belongs to the protocol.
    • totalSupply: Amount of TUSD that has been minted.
  • With our attack, we can force the totalCash to become 0 for TUSD in the contract. Since we are drastically changing the price of the token by doing this, an attacker can profit from it! The author gives a few ideas on how to do this:
    • Liquidate users who provided TUSD as collateral for their loans.
    • Borrow TUSD, execute the attack, then pay back less TUSD for the loan because of the new low exchange rate.
    • Execute the attack to mint cTUSD. When the funds are returned to the contact, rdeem the cTUSD for a profit.
  • TUSD cannot be used as collateral so option 1 doesn't work. Option 2 would have yielded a 12% gain without any user interactions, giving a 3.1 million dollar profit. Option 3 would have worked, since the price of cTUSD would have increased once the funds had been sent back. However, this would have required user interaction, which sucks for an attacker.
  • This vulnerability was fixed by putting admin privileges on the sweepToken function. Additionally, TrueUSD removed the second entry point. According to the authors of the post, the better solution would have been a sanity check on the underlying balance of the contract before and after the transfer though. Overall, a very novel vulnerability that is something to look out in the future when interacting with a contract with multiple entry points.

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed