Background introduction
Recently, we detected a series of attacks on Ionic Money on Mode Chain: https://explorer.mode.network/tx/0x37e53b15cb7f298bd8c45fcbbd914ba90feb3946f5511fc55bc986b7472956df
Ionic Money is a DeFi project of compound fork, which provides services on Base, Optimism, Bob, Fraxtal, Lisk, and Mode. This time, it was attacked by attackers on Mode Chain, and the total loss of this attack was about 8.5 MUSD.
Attack and incident analysis
First, the attacker minted 60 LBTC to redeem undelying assets, 300 ionLBTC.
However, when we look at the source of the attacker’s 60 LBTC, we find that the attacker minted the 60 LBTC himself. Before launching the attack, the attacker obtained 250 LBTC through minting.
Then, we checked the contract of LBTC and found that the Bascule in the contract was: 0x00000000000000000000000000000000000000000000 .
In the implementation of LBTC, mint needs to be verified by Bascule.
Among them, the implementation of _confirmDeposit is as follows:
The LBTC official document introduces Bascule as follows: its main functions are an on-chain contract and an off-chain system to prevent attackers from attacking.
Because the Bascule of this LBTC has no corresponding contract, the attacker can mint it at will. Afterwards, the attacker mortgaged the minted LBTC to IonicMoney and withdrew the funds of all pools to complete the attack. Therefore, the root cause of this attack is that IonicMoney did not verify whether LBTC was an officially created contract when creating the lending pool, resulting in the unlying assets of the lending pool being fake tokens. The attacker minted it at will and emptied all funds through borrowing.
Summary
The main cause of this vulnerability is that the IonicMoney project did not verify whether the contract corresponding to the asset was officially deployed when creating the lending pool, resulting in the undelying asset of the lending pool being a fake token. It is recommended that the project party conduct multiple verifications when designing the economic model, price calculation mechanism and code operation logic, try to select multiple audit companies for cross-audits when auditing the contract before going online, and finally check whether the corresponding token is officially deployed when deploying before going online.
