SolidityScan
HACK ANALYSIS 2 min read

Ovix Protocol Hack Analysis — Oracle Price Manipulation

Ovix Protocol Hack Analysis — Oracle Price Manipulation

Overview:

On April 28, 2023, an incident took place that gave an attacker the chance to alter the Ovix protocol’s price oracle. By depositing a significant number of vGHST tokens into the VGHSTOracle Contract, the attackers were able to fraudulently increase the price of vGHST to GHST, causing the protocol’s users $2M.

Smart Contract Hack Overview:

  • Attacker’s transaction: 0x10f2
  • Attacker’s address: 0x702
  • Aave flashloan details: 0x794a
  • vGHST V3 token contract: 0x8eb2
  • OVIX oUSDT token: 0x1372
  • Vulnerable Contract: 0x5119
Attacker’s transaction

Decoding the Smart Contract Vulnerability:

  • The attacker used a 24.5 USDC flashloan as collateral to borrow 5.4 million USDT and 720 thousand USDC.
  • The attacker performed a series of transactions to borrow vGHST tokens worth 5.4 million USDT and 720 thousand USDC. The attacker borrowed a lump sum of vGHST tokens, which caused the price oracle to be altered as it was dependent on the conversion from vGHST to GHST.
  • The attacker then returned the borrowed vGHST, but the exchange rate between the two was modified, thus the attacker sold the funds in order to make a $2M profit.

Mitigation and Best Practices:

  • The protocol using Oracle as price feeds must have a time difference in order for the price to be checked and verified before being utilized, and it cannot significantly rely on changes made in the Oracle instantly.
  • Protocols need to add security layers, using at least two oracles to verify the price. This would mitigate the hack and ensure proper checks on critical functions and variables that are publicly accessible.
  • To prevent such vulnerabilities, the best Smart Contract auditors must examine the Smart Contracts for logical issues. We at CredShields provide smart contract security and end-to-end security of web applications and externally exposed networks. Schedule a call at https://credshields.com/
  • Scan your Solidity contracts against the latest common security vulnerabilities with 130+ detection at SolidityScan including access control vulnerabilities.
SolidityScan — Smart Contract Vulnerability Scanner

Conclusion:

SolidityScan is an advanced smart-contract scanning tool that discovers vulnerabilities and reduces risks in code. Request a security audit with us, and we will help you secure your smart contracts. Signup for a free trial at https://solidityscan.com/signup

Follow us on our Social Media for Web3 security-related updates.
SolidityScan — LinkedIn | Twitter | Telegram | Discord

Unlock Protocol Hack Analysis — Improper Caller Validation
Sashimi Swap Hack Analysis — Improper Swap & Router Design