MoonHacker Vault Hack Analysis
Overview:
On December 23, 2024, MoonHacker vault contracts, interacting with Moonwell DeFi protocol on Optimism, suffered an exploit due to improper input validation in the executeOperation function. The attacker exploited the vulnerability to drain approximately $320,000 USDC.
The core Moonwell (@MoonwellDeFi) protocol remains unaffected, and its primary functionalities continue to operate securely. However, this incident underscores critical flaws in the Moonhacker vault’s contract logic that were exploited by the attacker using a malicious strategy.
Smart Contract Hack Overview:
- Attack Transaction: 0xd1201
- Attacker’s Address: 0x36491
- Exploit Contract Address: 0x4E258, 0x3a6ea
- Stolen Funds Parked At: 0x36491
Decoding the Smart Contract Vulnerability:
- The root cause of the exploit lies in improper handling of inputs and lack of access control in the
executeOperationfunction of the Moonhacker vault contracts.
- Specifically, the
mTokenparameter was not validated to ensure it corresponded to a legitimate Moonwell market contract. This allowed the attacker to pass their malicious contract as themTokenaddress and gain token approvals. - Also, the
executeOperationfunction could be called by any external address enabling unauthorized users to exploit the function.
- The attacker took a flash loan of USDC from Aave. Then, passed their malicious contract as the
mTokenaddress in theexecuteOperationfunction. The function approved the malicious contract to transfer the vault’s USDC tokens. Using the unauthorized approval, the attacker drained the USDC tokens held in the vault. - The attacker then called
repayBorrowandredeemfunctions repeatedly to withdraw the remaining underlying USDC from the vault. Then, repaid the flash loan and retained the stolen funds. - The Moonhacker deployers have been contacted to address the vulnerability and attempt recovery of stolen funds. Relevant parties are collaborating to track and recover assets.
- Moonwell DeFi has clarified that the Moonhacker vaults were independently deployed and are not affiliated with the Moonwell protocol. The Moonhacker vault deployers and the actual exploiters are unknown to the Moonwell team.
- Importantly, all Moonwell lending pools remain secure and unaffected by this exploit. The breach was limited to the Moonhacker vaults, which were designed to interact with Moonwell markets without adequate security safeguards. More Details here: https://x.com/MoonwellDeFi/status/1871593325050093793
Mitigation and Best Practices:
- Ensure that the
mTokenaddress passed to theexecuteOperationfunction is validated against a whitelist of approved Moonwell market contracts. This can prevent malicious addresses from being injected. - Use specific modifiers or checks to ensure only designated contracts or trusted entities can interact with critical functions. Also, implement role-based access control for the
executeOperationfunction. - To prevent such vulnerabilities, the best Smart Contract auditors must examine the Smart Contracts for logical issues. We at CredShields provide smart contract security and end-to-end security of web applications and externally exposed networks. Our public audit reports can be found on https://github.com/Credshields/audit-reports. Schedule a call at https://credshields.com/
- Scan your Solidity contracts against the latest common security vulnerabilities with 280+ detections at SolidityScan.
Conclusion:
SolidityScan is an advanced smart contract scanning tool that discovers vulnerabilities and reduces risks in code. Request a security audit with us, and we will help you secure your smart contracts. Signup for a free trial at https://solidityscan.com/signup
Follow us on our Social Media for Web3 security-related updates.
