Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

The contract CvxRewardDistributor was exploited for 210K in value. This contracts job is to mint rewards for eligible stakers.

When calling claimMultipleStaking on the contract, there is a parameter called claimContracts to specify the address of the staking contract to call. This parameter is used to make a call to a contract to get the amount of tokens that should be minted for the user.

The address was missing input validation though. So, an attacker was able to create their our contract with the same interface to tell the contract to mint an arbitrary amount of funds. At this point, the protocol was effectively rugged.

The most interesting part was that this product had FOUR audits. So, how did this simple bug get through? It didn't! While trying to do gas optimizations AFTER the audits, the vulnerability was introduced. Yikes... don't do gas optimizations after four reviews.