SolidityScan
HACK ANALYSIS 2 min read

OpenLeverage Hack Analysis

OpenLeverage Hack Analysis

Overview:

On April 1, 2024, OpenLeverage suffered an attack due to a reentrancy issue, leading to an approximate loss of over 234K USD.

Smart Contract Hack Overview:

Fig: Attack Transactions

Decoding the Smart Contract Vulnerability:

  • The hack involved a two-step attack strategy, each consisting of two transactions.
  • In the first transaction, the attacker initiated a margin trade and a small borrow position, then proceeded to liquidate it. However, the liquidation process was flawed, as it incorrectly accounted for borrow amounts from both the “borrow” function and margin trading.
  • Additionally, the attacker exploited the “repayBorrowEndByOpenLev” function within the liquidation process, allowing them to close the borrow position with minimal repayment.
  • In the second transaction, the attacker withdrew tokens using the “payoffTrade” function without making any repayment, leveraging the absence of a borrowed amount from the preceding transaction.
  • To circumvent time constraints, the attacker split their actions into two separate transactions due to a block time check.
Fig: The root cause of the vulnerability (credit: @Phalcon_xyz)

Mitigation and Best Practices:

  • Strengthen the validation process within the “liquidate” function to prevent the exploitation of functions like “repayBorrowEndByOpenLev” for minimal repayment.
  • Enhance security measures by introducing additional checks or restrictions to prevent unauthorised withdrawals or trades based on minimal repayments.
  • Always validate your code by writing comprehensive test cases that cover all the possible business logic.
  • To prevent such vulnerabilities, the best Smart Contract auditors must examine the Smart Contracts for logical issues. We at CredShields provide smart contract security and end-to-end security of web applications and externally exposed networks. Schedule a call at https://credshields.com/
  • Scan your Solidity contracts against the latest common security vulnerabilities with 130+ detections at SolidityScan
Fig: SolidityScan — Smart Contract Vulnerability Scanner

Conclusion:

SolidityScan is an advanced smart contract scanning tool that discovers vulnerabilities and reduces risks in code. Request a security audit with us, and we will help you secure your smart contracts. Signup for a free trial at https://solidityscan.com/signup

Follow us on our Social Media for Web3 security-related updates.
SolidityScan — LinkedIn | Twitter | Telegram | Discord

Smart Contract Audit Reports: How to Understand Them?
UPS Token Hack Analysis