SolidityScan
HACK ANALYSIS 3 min read

ROE Finance hack Analysis — Price Manipulation

ROE Finance hack Analysis — Price Manipulation

Overview:

On January 11, 2023, yet another price manipulation attempt was made, and because of the protocol’s flaw that permitted price manipulation through arbitrage, $80k was lost. The attackers took advantage of the weakness by taking a flash loan.

Smart Contract Hack Overview:

The transaction of the attacker
Flow of Funds from the Attacker’s Address

Decoding Smart Contract Vulnerability:

  • The attacker put 5.76 million USDC into the pool as a flash loan from the balancer. The attacker then used their attack contract to borrow 2,953,841,283 UNI-v2 tokens from the pool. The borrowed amount was deposited 49 times from the attacker-controlled address.
  • The contract address of the attacker burned 0.295 UNI-V2 and received 2.96 WBTC and 51,661 USDC in exchange. They then used the Uniswap V2 sync function after giving UNI-V2 26,024 USDC. As a result, oracle’s pricing for the UNI-V2 was manipulated.
  • Now, in order to finish the flash loan, 5,673,090 $USDC that had been previously deposited into the roeUSDC pool was borrowed back. After exchanging 0.66 $WBTC for 14,345 $USDC, the $USDC was returned to the balancer.
  • This generated a profit of ~$80,000 for the attackers.

Mitigation and best practices:

  • Protocols need to add security layers, using at least two oracles to verify the price. This would mitigate the hack and ensure proper checks on critical functions and variables publicly accessible.
  • Check often for instances of fraudulent deposits.
  • To stop price manipulation attempts, implement validations on transaction variables and securely revoke transactions containing fraudulent deposits and transfers.
  • Use the best smart contract vulnerability scanners in collaboration with the best smart contract auditors when new features are released.
  • To prevent such vulnerabilities, the best Smart Contract auditors must examine the Smart Contracts for logical issues. We at CredShields provide smart contract security and end-to-end security of web applications and externally exposed networks. Schedule a call at https://credshields.com/
  • Scan your Solidity contracts against the latest common security vulnerabilities with 130+ detection at SolidityScan
SolidityScan — Smart Contract Vulnerability Scanner

Conclusion:

SolidityScan is an advanced smart-contract scanning tool that discovers vulnerabilities and reduces risks in code. Request a security audit with us, and we will help you secure your smart contracts. Signup for a free trial at https://solidityscan.com/signup

Follow us on our Social Media for Web3 security-related updates.
SolidityScan — LinkedIn | Twitter | Telegram | Discord

BonqDAO Protocol Hack analysis — Oracle Manipulation
Orion Protocol Hack Analysis — Missing Reentrancy Protection