Unlock Protocol Hack Analysis — Improper Caller Validation
Published in
2 min readApr 26, 2023
Overview:
On April 21, 2023, a hack occurred on the Unlock Protocol, which led to the loss of 20 ETH to the protocol users. The root cause of the attack was improper caller validation on the postLockUpgrade() function.
Smart Contract Hack Overview:
- Attacker’s address: 0x43ee4,0x3a683
- Attacker’s transaction: 0x4ac413
- Vulnerable contract:0xe79b
- UDT official code: 0x90de7
Decoding the Smart Contract Vulnerability:
- The attacker’s contract called the
postLockUpgrade()function, and due to a lack of caller validation, it allowed the attacker to lock his attack contract, which was utilized to bypass a modifier check later.
- The
pre()function had anonlyFromDeployedLock()modifier, which was bypassed since the attacker locked his contract before calling this function and transferred tokens to his wallet address.
Mitigation and Best Practices:
- Use modifiers to prevent anyone from interacting with such functions, and make sure the function is not externally callable.
- The caller’s data must be thoroughly verified and validated.
- Use openZepplin libraries to implement access control mechanisms appropriately, ensuring that everything is secure and that there are no broken authorizations.
- To prevent such vulnerabilities, the best Smart Contract auditors must examine the Smart Contracts for logical issues. We at CredShields provide smart contract security and end-to-end security of web applications and externally exposed networks. Schedule a call at https://credshields.com/
- Scan your Solidity contracts against the latest common security vulnerabilities with 130+ detection at SolidityScan including access control vulnerabilities.
Conclusion:
SolidityScan is an advanced smart-contract scanning tool that discovers vulnerabilities and reduces risks in code. Request a security audit with us, and we will help you secure your smart contracts. Signup for a free trial at https://solidityscan.com/signup
Follow us on our Social Media for Web3 security-related updates.
SolidityScan — LinkedIn | Twitter | Telegram | Discord
