Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Cypher is a protocol for lending, borrowing and trading using margin. Margin is the process of betting on assets using value that you are borrowing from somebody else.

There are two types of account: master account and sub accounts. The master account acts as a cache for all sub accounts under it. This information includes asset values, collateral ratio and more. Master accounts are cross-collateralized, meaning that a sub account can use assets from another sub account. This cross collateralization can be turned off on a particular sub account as well.

The function EditSubAccountMargining can be used to change the mode of the sub account. However, there is a bug here: the cache of the sub account in the master account is not updated to reflect this. The lack of updating the cache puts the account into a bizarre corrupted state.

The goal of a loan managing process is to ensure that a user cannot borrow more money than their entitled to for their collateral. Breaking this logic would result in a complete loss of assets for the protocol.

Although this is not fully explained, this is the root cause of the issue. Once in this state, the usage of the sub account will no longer effect the master account. So, removing funds from the sub account would make the master account believe it had more funds than it really did, allowing for more money to be taken out than expected.

There is a second bug that allowed this to be exploited though. The functionality for verifying margin on volatile assets had an uninitialized oracle. This led the trade being accepted, even though it should not have been. In the end, this led to $1M in stolen funds from bad loans.