Atlantis Loans Hack Analysis

On June 10, 2023, Atlantis Loans suffered a hack due to a governance attack that resulted in a total loss of ~1M USD

Smart Contract Hack Overview:

• Attackers address: 0xEADe07
• Attackers Transaction: 0xeade07
• Malicious contract: 0x613cc5

Decoding the Smart Contract Vulnerability:

• The main reason behind the Atlantis Loans attack was that the attacker designated themselves as the administrator of the token’s proxy contract.
• On June 7, 2023, the attacker initiated a harmful governance proposal (ID: 52) within the GovernorBravo contract, which resulted in setting multiple ABep20Delegator contracts’ administrators as malicious contracts.

Fig: Attackers vote to pass the proposal

• The GovernorBravo contract only verifies the eta parameter (unlock time) when queuing a proposal, which allowed the attacker to execute the proposal once the time lock expired. After a lockup period of 172,800 seconds, the malicious contract was appointed as the proxy contract administrator for all tokens.

Fig: Vulnerable GovernorBravo contract

• Subsequently, the attacker modified the ABep20Delegate implementation address to the contract containing the backdoor (0x613cc544053812ab026d60361212cdb67b46f42f).

Mitigation and Best Practices:

• Be cautious when assigning administrative privileges or owner rights within the contract. Limit the number of administrators and ensure they are trustworthy.
• Consider using multi-signature schemes where multiple parties need to collectively approve critical actions.
• Implement robust access control mechanisms to restrict who can propose, vote on, and execute governance actions. Utilize role-based permissions and enforce strict authentication and authorization processes.
• To prevent such vulnerabilities, the best Smart Contract auditors must examine the Smart Contracts for logical issues. We at CredShields provide smart contract security and end-to-end security of web applications and externally exposed networks. Schedule a call at https://credshields.com/
• Scan your Solidity contracts against the latest common security vulnerabilities with 130+ detections at SolidityScan

SolidityScan — Smart Contract Vulnerability Scanner

Conclusion:

SolidityScan is an advanced smart-contract scanning tool that discovers vulnerabilities and reduces risks in code. Request a security audit with us, and we will help you secure your smart contracts. Signup for a free trial at https://solidityscan.com/signup

Follow us on our Social Media for Web3 security-related updates.
SolidityScan — LinkedIn | Twitter | Telegram | Discord