AVAX/USDC Joe LP NXUSD Market—Flash Mortgage Exploit—Sep 6, 2022—Detailed Evaluation

Overview

On September 7, 2022, the Nereus protocol’s AVAX/USDC Joe LP NXUSD market was reported to be exploited, resulting in the creation of $500k NXUSD dangerous debt. The incident was initially reported by the Nereus group by means of neighborhood channels and later highlighted by on-chain analytics teams. The exploit utilized a flash mortgage and culminated in a $371k revenue for the attacker.

The Discovery of Exploit

At roughly 10:30PM UTC on September 6, 2022, the Nereus group turned conscious of the difficulty and rapidly communicated it to their neighborhood by means of their discord platform.

Subsequent monitoring and evaluation by CertiK, amongst different on-chain evaluation teams, recognized the occasion as a flash-loan exploit, which led to a monetary benefit of roughly $371k for the exploiter.

Instantly following the invention, Nereus liaised with safety professionals to plan a containment technique. Regulation enforcement was notified to help within the investigation.

By way of mitigation, the compromised JLP market was each liquidated and paused by the Nereus group. The dangerous debt was coated by utilizing NXUSD from the group’s treasury, making certain no consumer funds have been jeopardized. The NXUSD remained over-collateralized all through this disaster.

It was clarified by the Nereus group that the lending and borrowing parts of the protocol have been by no means susceptible throughout this incident.

The Flash Mortgage Assault

The exploit was orchestrated by a person or group who devised a tailor-made sensible contract. This contract utilized a large $51M flash mortgage to momentarily manipulate the AVAX/USDC Dealer Joe LP pool’s worth. Because of this, the attacker managed to mint 998,000 NXUSD, which was disproportionate to their collateral valued at roughly $508k.

The vulnerability stemmed from the latest introduction of a collateral kind that supported AVAX/USDC Dealer Joe LP tokens. A vital oversight occurred within the worth willpower course of, making it susceptible to exploitation. Worth calculations relied on real-time values with out implementing any time-weighted common worth (TWAP) mechanism. This absence of TWAP uncovered the protocol to single-block worth manipulation.

The Assault Particulars

The exploit was centered on the Nereus protocol’s latest help for AVAX/USDC Dealer Joe LP tokens as collateral. A vital oversight within the worth calculation mechanism for this collateral kind was recognized because the vulnerability.

Particularly, the protocol’s worth calculation relied on real-time on-chain values: wAvaxReserve, usdcReserve, and totalSupply from the Dealer Joe Pool.

As a result of absence of a Time Weighted Common Worth (TWAP) mechanism, these values have been open to manipulation inside a single block.

AVAX USDC Joe LP NXUSD Market

The components used for LP worth calculation was:
[ text{LP price} = frac{(wavaxReserve times avaxPrice) + (usdcReserve times usdcPrice)}{totalSupply} ]

The vulnerability was evident within the pool worth chart, with a noticeable spike at Block Top: 19613453.

The exploit transaction will be referenced at: Snowtrace Transaction: https://snowtrace.io/tx/0x0ab12913f9232b27b0664cd2d50e482ad6aa896aeb811b53081712f42d54c026

Sequence of the Exploit

  1. Provoke a flash mortgage of 51,000,000 USDC from AAVE v3.
  2. Swap 280,000 USDC for 14,735 WAVAX within the wAVAX/USDC Joe pool.
  3. Inject liquidity utilizing 260,000 USDC and 13,401 WAVAX into the Joe pool, ensuing within the acquisition of 0.04533097793130507 JLP tokens.
  4. Swap the remaining 50,460,000 USDC for 505,213 WAVAX, artificially inflating the pool worth to about $98 per WAVAX.
  5. Make the most of the borrow perform within the NXUSD market, depositing 0.04533097793130507 JLP, and borrowing 998,000 NXUSD. Right here, the manipulated collateral worth was ~$1,330M USD, whereas its true market worth was round $500K USD.
  6. Swap 506,547 WAVAX (505,213 + (14,735–13,401)) again to 50,426,896 USDC.
  7. Convert 998,000 NXUSD into 955,678 avCRV utilizing the NXUSD Manufacturing unit 3crv pool.
  8. Swap 955,678 avCRV for 977,269 USDC.e within the 3crv pool.
  9. Convert 977,269 USDC.e into 970,010 USDC.
  10. Repay the flash mortgage with 51,025,500 USDC to AAVE v3.
AVAX USDC Joe LP NXUSD Market Exploit 1

Web Final result for the Exploiter: A revenue of 371,406 USDC.

Instant Response and Mitigation

Upon detection, the Nereus group promptly:

  • Notified the neighborhood and related stakeholders.
  • Consulted with safety specialists.
  • Developed a mitigation plan, which included liquidating and pausing the affected JLP market.
  • Paid off the dangerous debt from the Crew’s treasury, making certain no consumer funds have been in danger.
  • NXUSD stays over-collateralized and its lending/borrowing capabilities have been by no means in danger and proceed to perform as supposed.

Future Steps and Safety Enhancements

  1. Implementation of TWAP calculations for safer worth feeds, particularly for belongings with out Chainlink oracles.
  2. Steady evaluate and replace of audit and safety practices to forestall future vulnerabilities.
  3. A 20% White Hat reward was supplied for the return of the exploited funds, alongside lively efforts to hint and get well the stolen quantity.
  4. Whereas the incident was regrettable, it served as a useful lesson for the Nereus group, who reiterated their dedication to consumer security, protocol safety, and threat mitigation.

Writer: ImmuneBytes
Date: 2023-08-17 05:16:00

Source link

spot_imgspot_img

Subscribe

Related articles

Studying cloud value administration the exhausting means

The fast adoption of cloud applied sciences has outpaced...

Void Banshee APT Exploits Microsoft MHTML Flaw to Unfold Atlantida Stealer

Jul 16, 2024NewsroomKnowledge Safety / Vulnerability A sophisticated persistent risk...
spot_imgspot_img
Alina A, Toronto
Alina A, Torontohttp://alinaa-cybersecurity.com
Alina A, an UofT graduate & Google Certified Cyber Security analyst, currently based in Toronto, Canada. She is passionate for Research and to write about Cyber-security related issues, trends and concerns in an emerging digital world.

LEAVE A REPLY

Please enter your comment!
Please enter your name here