Background introduction
Recently, we monitored an on-chain attack on CloberDEX, a project on Base. https://basescan.org/tx/0x8fcdfcded45100437ff94801090355f2f689941dca75de9a702e01670f361c04
The attacked project is CloberDEX, and the attacker made a profit of about 133 ETH, or about 500,000 USD. The main functions of this project are as follows: open opens a new trading pool containing trading pairs A to B and B to A, and each trading pair also contains a preset trading strategy; mint adds liquidity to the trading pair and obtains LP Token; burn destroys LP Token to obtain the corresponding currency.
Attack and incident analysis
First, the attacker borrowed 267 WETH from Morpho Blue using flashloan.
Then, the attacker used open to open two trading pairs on CloberDEX, namely Token/WETH and WETH/Token, where Token is a contract deployed by the attacker himself.
Then, the attacker used mint to transfer 267 WETH and 267 Token to the newly opened trading pair to add liquidity and obtain LP Token.
So far, there is no problem. Finally, the attacker uses burn to destroy the LP Token just obtained. Let’s take a look at the specific implementation of burn;
The control flow goes to the lock function. Similarly, let’s take a look at the specific implementation of lock;
As you can see, in the lock function, bytes caldata data is passed to the lockAcquired function. Let’s continue to look at the implementation of this function.
We found this line of code
We can see that the function called by the code is determined by data. The first four bytes of data are the signature of _burn, so burn essentially calls _burn.
We can see that _burn calls pool.strategy.burnHook(msg.sender, key, burnAmount,supply) again, and the processing of the pool’s reserver comes after this code. So, the problem arises here, the address of the strategy contract of the pool corresponding to the trading pair can be controlled by the attacker. In this attack, the attacker wrote the address as his own attack contract address: 0x32fb1bedd95bf78ca2c6943ae5aeaeaafc0d97c1.
When the contract process reaches the BurnHook of the attack contract, it continues to call burn to complete the reentrancy attack.
Summary
The main cause of this vulnerability is that the CloberDEX project contract did not perform reentrancy detection and protection in the code for obtaining and destroying LP Tokens, and the state variables were updated after the contract was called, which eventually led to the attacker using the reentry vulnerability to empty the project’s WETH. It is recommended that the project party should conduct multi-party verification when designing the economic model, price calculation mechanism and code operation logic, and try to select multiple audit companies for cross-audit when auditing the contract before it goes online.
