DualPools Hack Analysis

lunaray
3 min readFeb 20, 2024

--

Background

An attack incident targeting DualPools has been detected: [https://bscscan.com/tx/0x90f374ca33fbd5aaa0d01f5fcf5dee4c7af49a98dc56b47459d8b7ad52ef1e93].

DualPools [https://dualpools.com] is a DeFi project based on the modified VenusProtocol [https://venus.io/], offering services such as Swap, Lend, and Borrow.

Its operational model is illustrated as follows:

DualPools functions as a decentralized lending platform where users deposti their underlyingAssets to acquire corresponding dToken; conversely, upon redeem function withdrawal of underlyingAssets leads to the destruction of the corresponding dToken.

The exchange ratio between underlyingAssets and dToken is controlled by the exchangeRate , essentially representing the value of dToken.

Attack Analysis

In essence, the attack can be delineated into two facets:
1. The hacker artificially inflated the price of dLINK by exploiting insufficient liquidity in the new DualPools pool (liquidity at 0), thereby depleting the targeted assets (WBNB,BTC, ETH, ADA, BUSD) from other pools through borrow function.
2. Exploiting a precision truncation issue, the attacker reclaimed all previously invested LINK.

Details of Step 1

The attacker engaged in borrowing through DODO Private Pool and PancakeSwapV3, acquiring BNB and BUSD as the initial attack funds, as depicted below:

Subsequently, leveraging the VenusProtocol to collateralize BNB and BUSD, the attacker borrowed 11500 LINK to perpetrate the assault on DualPools.

Initially, by mint through the dLINK-LINK pool, the attacker obtained 2 units of dLINK token, followed by transferring 11499999999999999999998 LINK token into the pool.

As the pool was not initialized, the calculation of exchangeRate is as follows:

exchangeRate = (totalCash + totalBorrows — totalReserves) / totalSupply

At this juncture, with the pool’s LINK token balance is

11499999999999999999998 + 2 = 11500000000000000000000

and both totalBorrows and totalReserves is 0, with totalSupply at 2 (since the hacker obtained 2 units of dLINK token through mint), the exchangeRate soared to 5750000000000000000000 (boosting the value of dLINK by a factor of 5750000000000000000000). Due to this issue, hacker using 2 dLINK token as collaterals then borrowed 50 BNB, 0.17 BTCB, 3.99 ETH, 6378 ADA, 911 BUSD from other pools.

Details of Step 2

By utilizing redeemUnderlying, the attacker converted the previously mint 2 units of dLINK token into 11499999999999999999898 units of LINK token, leveraging the manipulated exchangeRate of 5750000000000000000000. Thus, to convert 11499999999999999999898 units of LINK, the attacker required dLINK amounting to

11499999999999999999898 / 5750000000000000000000 = 1.999999999999999

which rounded down erroneously to only 1 unit of dLINK token due to a precision truncation issue.

Subsequently, the attacker withdrew the initial 11499999999999999999898 units of LINK token invested during the attack. The borrowed funds from VenusProtocol, PancakeSwapV3, DODO Private Pool were repaid, thereby concluding the assault.

This attack yielded the attacker approximately $41,000 USD, comprising gains from 3.99 ETH, 0.17 BTCB, 6378 ADA, 904 BUSD, 50 BNB.

Summary

Exploiting the low liquidity of the new DualPools pool, the attacker manipulated the exchangeRate of the targeted assets, distorting the price of assets correspond to dToken, enabling the collateralizing of substantial other assets with minimal dToken. Subsequently, exploiting an issue with precision truncation in smart contract division, the attacker reclaimed the assets invested during the attack. Thus, concluding the assault on the DeFi project DualPools.

--

--

lunaray
lunaray

Written by lunaray

Lunaray takes a leading position in smart contract auditing and consulting service for blockchain security.