Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Sense is a framework that allows the building of new yield primitives. This would include bonds, yield tokens and tranch-like (pools of assets) instruments.

The first app (made by Sense) was a yield stripping app called Sense Space. This means that users can lend at a fixed rate and make gains on this. Additionally, they make short/long bets on the future yields of existing yield-bearing assets.

Sense Space is an Automated Market Maker (AMM). This is built upon the Balancer contract, which implements yieldspace invariants and a market for principal and yield token trading. Balancer is automated portfolio, liquidity provider and price sensor.

When the Balancer vault handles a swap between tokens, it does this by making a callback to the onSwap() function of the Space AMM pool.

The AMM pool function onSwap() would update the prices of the token depending on the actions performed on the actual swap. In particular, updating the amount of tokens available.

The issue is that the onSwap() method does NOT validate who makes this call. As a result, an attacker could provide arbitrary values to this to control the oracle. By controlling the oracle, the price of tokens could be set, giving an attacker an easy time stealing money.

The simple fix for this was to ensure that the sender of the call was the vault contract. Overall, a simple vulnerability that came from the complexity of integrating multiple pieces together.