Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Zapper is a wallet platform that helps make the platform easy to use. When joining a pool, you need several different types of assets. If a user wanted to join this pool, it would require many different transactions to do. In order to solve this, Zapper will swap the coins for you and deposit them into the liquidity pool.

With Uniswap and SushiSwap liquidity pools, you can get positions by depositing funds into pools, known as zapping in. Additionally, you can withdraw your funds from the pool, known as zapping out. In order to do this, a user had to allow the Zapper to perform these operations. For this to be possible, Zapper allowed users to specify an arbitrary call to any liquidity pool.

This call allowed for a controlled address and a controlled call data. As a result, an attacker could setup transferFrom() to force the contract to transfer all LP tokens from any victim to the attacker. Since, at this point, a user has allowed the contract access to the coins. This allows for a cross account zap out, in terms of the service being used.

To fix this vulnerability, Zapper removed the ability to send over arbitrary call data. Regardless, interesting bug!