Fighting Web3 Hacks with RedStone
RedStone – the Arweave utilising Web3 cross-chain oracle and smart contract SDK developer team – has just announced they are starting a new mini-series about important Oracle Hacks and Manipulations. This is done in order to raise awareness of the methods used by exploiters and hackers to manipulate the affected Web3 protocols.
In the first issue of the series which you can find here on their medium page, they look into the April 2022 oracle manipulation case of Inverse Finance — a ‘decentralised bank’ providing numerous DeFi services such as collateralised lending.
The Inverse Finance exploit saw malicious actors withdraw 901 ETH from Tornado Cash, transfer 1.5 Eth to 241 clean addresses in order to deploy 5 different smart contracts, before swapping 500 ETH to 1.7k INV tokens (through the Sushi INV-WETH pool), in turn inflating the INV price by roughly x50. This was managed due to low liquidity in the pool.
The hackers then spammed Inverse Finance with many malicious transactions, to be the first to get into the next block. Inverse Finance then used the SushiSwap TWAP oracle as a single point of data, but the price reported by the oracle was super inflated.
The last step for the hackers was to use their now high-value INV tokens as collateral to take out a loan valued at $15.6M various tokens. The initial “cost” for the hackers was 901 ETH (roughly $2.7m at the time) that was withdrawn from Tornado cash (one can only assume they deposited themselves initially).
It would have been impossible for any amateur to execute such a process, and hence it is believed that the attacker knew exactly what they were doing. They most likely spent a lot of time analysing the smart contracts, liquidity pools, and protocols they would need to navigate to have their plan play out as they wanted.
And their plan came at no small cost, as any mistake along the way would have cost the malicious actors their $2.7m.
Without judging any involved protocol, RedStone’s mission is simply to allow new and existing developers to learn from these costly mistakes, so as to not repeat the errors made by those that came before.
In the case of Inverse Finance, the window into the exploit was using a single oracle as a data reference for price. Price that was reading only a small pool of assets with low liquidity. If more than one data point for price was used, it would have made the exploit far more difficult to execute, and potentially even non-financially beneficial for the hackers.
The lesson that RedStone wants to pass on to others from this exploit, is that using multiple points of reference for data (including but certainly not limited to price data) is key.
WWW – The Web3 Wild West
RedStone is focusing on the oracle side of hacks, as they themselves are the developers of the biggest Arweave oracle yet. It is important to remember though that the Web3 industry is still fresh (especially the application layer), some calling it the Wild West, and so mistakes will be made not only with oracle tech but with all protocols.
Looking back on 2022 alone we can see that many hacks have taken place:
Axie Infinity Ronin Bridge, March 28, $625 million
Wormhole, February 2, $325 million
Beanstalk, April 17, $182 million
Harmony Bridge, June 23, $100 million
Qubit QBridge Hack, January 27, $80 million
Fei Protocol, April 30, $80 million
Cashio, March 22, $52 million
IRA Financial Trust, February 8, $37 million
Cryptocom, January 17, $35 million