secondary title

Event brief

At four o'clock in the morning on August 5th, some users reported on the opyn forum that their account balances disappeared for no reason, and some users found suspicious transaction information, as shown in the figure below:

The Opyn project party responded after a preliminary analysis of the situation and said: the funds have been transferred and the cause of the problem is being looked for

As of press time, the official issued a response to the incident: it was hacked, and the assets that may be attacked have been transferred, but this vulnerability only involves the ETH contract and does not affect other contracts. As shown below:

0xe7870231992ab4b1a01814fa0a599115fe94203f

0xb837531bf4eb8ebfa3e20948bd14be067c18cbd3

0xb72e60ea1d0c04605f406c158dce9ac6ae6d224c

Chengdu Lianan-Security Lab tracked and analyzed this incident for the first time. The following is the address of the attacker's contract that the situational awareness system detected theft:

The attacker's attack method is restored:

1. The attacker calls the contract to send n USDC to the contract to increase the mortgage, and obtain the contract currency oETH

3. The attacker redeems his mortgaged ETH.

As shown below:

secondary title

technical analysis

technical analysis

Take the transaction 0x56de6c4bd906ee0c067a332e64966db8b1e866c7965c044163a503de6ee6552a as an example, the attacker uses contract 0xe7870231992ab4b1a01814fa0a599115fe94203f to contract 0x951D51bAe Fb72319d9FBE941E1615938d89ABfe2 launched the attack and made a total profit of $9907 in this transaction. As shown below:

The attacker first called the addERC20CollateralOption function and sent 9900 USDC to the contract, as shown in the figure below:

addERC20Collateral(msg.sender, amtCollateral); in this function is responsible for agency transfer of USDC; issueOTokens(amtToCreate, receiver); in the function is responsible for minting oETH. This transaction mints 30 oETH and sends them to the attacker, as shown in the figure below :

After this is done, the attacker's vault parameters are altered. vault.oTokensIssued and vault.collateral are updated to 300000000 and 9900000000 respectively, as shown in the figure below:

The attacker then proceeded to exchange oETH out.

Call exercise, the construction parameter oTokensToExercise is 60, and vaultsToExerciseFrom is two addresses, one of which is the address of another person who also meets the conditions. As shown below:

The Exercise function runs the _exercise(vault.oTokensIssued, vaultOwner); branch, and sends USDC corresponding to 30oETH to the caller, as shown in the figure below:

Let’s look back at the for loop in the exercise. The attacker’s input of oTokensToExercise is 60, so when the contract verifies that the second address meets the conditions, it will still transfer the balance to msg.sender, which is the attacker. This allows the attacker to obtain USDC twice, thus making a profit.

secondary title

summary advice

In this incident, the attacker took advantage of the logic flaw of the exercise function. This function does not verify whether the caller has the right to redeem the USDC of this address before making the final transfer, but simply verifies whether the address can be redeemed. It is a logical vulnerability in the code layer, and according to the official reply, this contract has undergone a security audit. Chengdu Lianan hereby reminds all project parties:

1. Sufficient and effective security audits should be conducted before the project goes online, preferably multi-party audits

2. For the contract, functions such as suspending contract transactions should be set to ensure the safety of funds in the event of a security incident