Wise Lending Hack Analysis
Published in
3 min readJan 16, 2024
Overview:
On January 12, 2024, Wise Lending suffered an attack due to a precision loss vulnerability, leading to an approximate loss of over 464K USD.
Smart Contract Hack Overview:
- Attacker address: 0xb90cf1
- Vulnerable Contract: 0x37e49b
- Attack contract: 0x91c49c
- Attack Transaction: 0x04e16a
Decoding the Smart Contract Vulnerability:
- Despite Wise Lending having defenses against donation attacks, the attacker found ways to either bypass or manipulate these safeguards.
- The attacker targeted the Wise PLP Pool specifically for Pendle LP tokens, employing tactics to surpass donation amount limits and taking advantage of a larger percentage of donations.
- The attacker initiated the attack by depositing a tiny amount and then making donations below the set limit, exploiting the system with a significantly larger percentage of donations.
- A rounding issue is exploited by the attacker through the ‘_calculateShares’ function.
- The attacker deliberately incurred losses through strategic deposits and withdrawals, employing a “stealth donation” approach to exploit rounding errors to the fullest extent.
Mitigation and Best Practices:
- Multiplication should always be performed before division to avoid loss of precision.
- The calculated result for division and multiplication can be stored in an integer with more bits, but the operands must also be integers of the same size.
- The operands for the exponentiation function must be unsigned integers. Unsigned Integers with lower bits can be calculated and stored as unsigned integers with higher bits.
- To apply an arithmetic operation to all of the operands, they must all have the same data type; otherwise, the operation will not be performed.
- Always validate your code by writing comprehensive test cases that cover all the possible business logic.
- To prevent such vulnerabilities, the best Smart Contract auditors must examine the Smart Contracts for logical issues. We at CredShields provide smart contract security and end-to-end security of web applications and externally exposed networks. Schedule a call at https://credshields.com/
- Scan your Solidity contracts against the latest common security vulnerabilities with 130+ detections at SolidityScan
Conclusion:
SolidityScan is an advanced smart contract scanning tool that discovers vulnerabilities and reduces risks in code. Request a security audit with us, and we will help you secure your smart contracts. Signup for a free trial at https://solidityscan.com/signup
Follow us on our Social Media for Web3 security-related updates.
SolidityScan — LinkedIn | Twitter | Telegram | Discord