Exploit
Context
On April 15th, Hundred Finance, a Compound v2 fork, was exploited. The Forta Network recognized the deployment of a suspicious contract targeting the hWBTC contract approximately 44 minutes prior.
In a subsequent transaction, that exploiter contract repeated these steps to extract almost all of each asset available in the protocol:
- Create and fund a new borrower contract
- Mint collateral tokens in an empty market and redeem most minted tokens
- Donate redeemed asset tokens to inflate the exchange rate
- Borrow a different asset with the manipulated exchange rate
- Redeem collateral to recover donation
- Liquidate borrower contract position with borrowed funds and redeem collateral token to reset empty market
Status
Since then other Compound v2 forks have also been exploited. Independent analyses conducted by Daniel Von Fange, Hexagate, B Protocol, and OpenZeppelin confirm that the exploited code exists in the current version of Compound v2. However, we confirmed that the conditions that allow the exploit, markets with low total supply and a non-zero collateral factor (CF), do not currently exist in Compound v2 and that this vulnerability is not in v3.
Mitigations
Existing Markets
We already monitor the levels and concentration of supply, borrow, and liquidity as well as exchange rates and prices of assets in the v2 markets. If a market becomes vulnerable, we can set its CF to zero to mitigate this inflation attack. The smallest markets already have a zero CF and cannot be exploited to extract value from other markets. Alternatively, burning cTokens can also mitigate this type of attack in existing markets.
New Markets
It is possible that a Compound v2 market could be vulnerable in the future if the CF is non-zero and Total Supply is relatively low or centralized. According to Hexagate, these conditions were present in 2021 following proposal 41 when the latest v2 WBTC market was launched. Although there are no current plans to add another v2 market, new v2 markets may be vulnerable if the CF is non-zero before supply exists.
We’ve reviewed Hexagate’s recommended mitigation for launching new markets and we agree that the collateral factor should remain zero until enough cTokens are minted. Proposals for new v2 markets should consider including and preserving the order of these steps: set CF to zero, list market, mint cTokens, and set CF to non-zero.
Credits
We want to thank Daniel from Origin Protocol for reaching out to OpenZeppelin and sharing his analysis with the community.
We want to thank Niv from Hexagate for reaching out to the OpenZeppelin team and sharing their analysis with the community.
We want to thank Yaron from the RiskDAO for reaching out to the OpenZeppelin team and sharing his analysis which included grateful contributions from the independent researcher pcaversaccio.