About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Decommissioning Prisma Finance - A Turbulent but Ultimately Soft-Landing- 1591

waveyPosted 1 Year Ago
  • Prisma Finance is a hacked Liquidity fork that has been a ghost ever since. However, there is still some liquidity in it that they needed to get out. They discovered several other bugs in it while trying to decommision it.
  • As the TVL dwindled, a subtle account bug came to light. This was discovered after seeing a mismatch in the sum of the user debt and the actual user debt. The culprit is a stale value being used that did not include the interest from a previous call. Over time, a drift between the collateral's asset value and the tracking of debt would occur. If too much was tried to be withdrawn, then an integer underflow would occur, rendering it all useless.
  • At first, they thought fixing this was impossible, since it was in a sunset mode. However, they noticed that Governance was still enabled. By setting the oracle contract to return a value of uint256.max, users could withdraw their collateral again. This manipulated price created a bunch of bad debt in the protocol but users could get their funds back.
  • The second bug is MUCH worse. A Discord user posted that collateral gains from the ULTRA pool could not be claimed. At the top of the function claimCollateralGains(), the author noticed _accrueDepositorCollateralGain. This function rests a value that SHOULD have been zeroed out. Effectively, this removes the replay protection. This was exploited for 13ish ETH a while ago.
  • Prisma needed to reduce the debt ceiling to zero. Because of this, the mkUSD and ULTRA loans were not allowed. When this happened, Prisma's stablecoins deviated from their $1 peg to as high as $1.45. Why? The stablecoins are required for users to close their loans. Since this was the case, the token became more valuable. Traders hoarded the token to drive up the price and got a profit from the sale.
  • Because of this bad market dynamic, they added a manual 1 to 1 peg to allow users to close their loans without paying high amounts.
  • There are still $80K in debt remaining that needs to be claimed. Overall, a super interesting post on the complexities of shutting down a protocol.

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed