- An attack vector in the SingleSidedBalancer strategy was disclosed by a security researcher and was mitigated by the security team within 25 minutes of its receipt. Funds are safe, there were no losses.
- The attack vector has since been succesfully patched.
- Whilst the vulnerability was present on every SingleSidedBalancer strategy, only one instance, USDT, presented an opportunity for a profitable attack.
- In a successful exploit, an attacker would have been able to first imbalance the Balancer pool before forcing the strategy to buy USDT at an inflated price during their subsequent withdrawal.
- This exploit was possible due to a flaw in the strategy design which assigned withdrawal losses to the strategy itself and not to the specific user.
- The yvUSDT strategy was fully wound down and vulnerable strategies were successfully removed from the withdrawal queue while patched strategies were being deployed and migrations completed.
- In line with its security process[1], Yearn's security team has decided to award the disclosing security researcher with the maximum bounty reward of $200,000.
Whitehat submits a report via Immunefi about a possible exploit that can lead to significant loss of user funds, providing a proof of concept demonstrating this in a fork of mainnet Ethereum.
Shortly thereafter, the issue is triaged by Immunefi, and escalated to Yearn's security team, who immediately springs to action. A war room is created to verify the correctness of the disclosure and to thereafter take immediate actions to mitigate the issue by moving funds to safety.
The issue reported is related to SingleSidedBalancer (SSB), a class of strategies which integrate with Balancer protocol and are present on up to 5 Ethereum mainnet vaults and 4 Fantom vaults. SSB strategies are designed to generate yield through the use of single asset deposits into Balancer stable pools, accruing BAL rewards on tightly pegged assets.
At the time of report, all SSB strategies contained the flaw, but only the SSB strategy on yvUSDT[2] was found to be profitably exploitable. A key reason for this was due to the amount of yvUSDT tokens available on Bentobox lending market.
The exploit involves an attacker taking out a large flashloan of DAI or USDC and using it to swap for USDT against Balancer's 3pool. As a result, the price of USDT in the pool would greatly increase. Next, the attacker would flash borrow up the nearly $41M yvUSDT liquidity available in Bentobox [3], and fully withdraw it from the yearn vault.
Such a large withdrawal would pull funds out of multiple strategies in the vault's withdrawal queue, including the vulnerable SingleSidedBalancer USDT strategy. In the exploitable design, the strategy tries to return the user the requested amount without regards to how much pool token it burns through (BPT_IN_FOR_EXACT_TOKENS_OUT). While the pool state is unbalanced, this can lead to the strategy burning many more pool tokens than the user's fair share. Because of this, losses are left to be realized by the strategy (i.e. the remaining vault depositors) on its next harvest.
The proof of concept provided by Whitehat proved the attack to be feasible.
The strategy was re-written with a number of improvements, including two critical fixes[4]:
- All withdrawals now use
EXACT_BPT_IN_FOR_ONE_TOKEN_OUT, which requires the strategy to calculate the amount of pool tokens (BPT) to burn on exit. A check against Balancer's BPT.getRate()is added to make this calculation possible - Configurable slippage parameters have been applied to bound the maximum loss a strategy can take on deposit and withdrawal from pools.
January 30, 2022, 11:54 (UTC): The security researcher submits a disclosure report to Immunefi.
13:24: The report is triaged by Immunefi and is escalated to Yearn as critical.
13:29: A war room is created.
13:49: The critically vulnerable strategy on yvUSDT is removed from withdrawal queue, thus mitigating the issue. [5]
14:09: All other SingleSidedBalancer strategies on mainnet queues are removed. [6]
15:55: All FTM strategies are removed from queue and keepers disabled. [7]
20:38: All funds are removed from SingleSidedBalancer USDT and sent back to the vault. [8]
January 31, 12:00: Fixes to SingleSidedBalancer Strategy are implemented and submitted for peer review.
February 2, 07:12: Security researcher is paid the maximum bug bounty of 200,000 USDC.
February 3, 22:57: Contact is made with developers at Balancer protocol and new strategy codebase is shared to confirm implementation correctness.
February 5, 20:39: Balancer team completes code check and validates accuracy of implementation with no major issues reported.
February 7, 23:10: Final internal security review begins.
February 9, 19:10: Ethereum Mainnet strategies successfully migrated.
February 11, 18:15: Fantom strategies successfully migrated.
February 11: Public disclosure through this report.
As per Yearn's security process, the project does not currently have any established bilateral disclosure agreements.[1] However, due to the nature of the vulnerability and its resulting fix, the issue was disclosed to Balancer Protocol ahead of the publication of this document. We thank the Balancer team for their assistance in validating the fix.
- https://github.com/yearn/yearn-security/blob/master/SECURITY.md
- https://etherscan.io/address/0x3ef6Ec70D4D8fE69365C92086d470bb7D5fC92Eb#code
- https://app.sushi.com/analytics/bentobox
- https://etherscan.io/address/0x3b7c81daa0f7c897b3e09352e1ca2fbe93ac234d#code
- https://ethtx.info/mainnet/0x0b503fdd23d1727787268fef5727476371da9a459809cda2497ee14ba6328fe0/
- https://ethtx.info/mainnet/0xde69faf6abb15c77ae24e86b8e9bcf6d3a346b8ceab5a803c3bf58695df3983f/
- https://dashboard.tenderly.co/tx/fantom/0x6036b5905e21ed0b8558c97083f2668db257e63ac80ff60853e78ad138ff0783
- http://ethtx.info/mainnet/0x812cf1f939d4a59b88001481050e0148e95d9ed1c51bc628a5b338c40e3c30d3