Pickle Finance Hack Analysis & POC (Nov 21st, 2021)

Abdul Sami J.
May 30, 2022

NEWSLETTER

Drop your email to read the BlockApex newsletter and keep yourself updated around the clock.

    Table Of Content

    Share:

    Introduction

    On 21sth November 2021, Pickle finance was hacked, where an attacker was able to drain $19M DAI from the pDai jar. The attack exploited multiple inconsistencies & flaws in the logic of the pickle jar smart contract.

    Pre-requisite:

    1. Pickle Jar contract had a function swapExactJarForJar() which was meant to be generalized to bring more flexibility to the protocol. However, the attack could have been prevented if the function checked for whitelisted ones. 
    2. The attacker’s jars contain minimalist functions to function as a jar and since the user controls Jars most of the checks can be easily bypassed.

    The Exploit

    The user-created two Jar contracts

    1. Attacker’s Address
    2. Attack transaction
    3. Attacker’s Contract
    4. Detailed transaction trace

    Steps involved in exploit:

    1. The attacker deploys two new fake Jars.
      1. First Jar
      2. Second Jar
    2. The attacker calls strategyCmpdDaiV2.getSuppliedUnleveraged() which returns the amount of DAI available i.e 19728769153362174946836922 ~ 19M.728 DAI.
    3. The attacker calls swapExactJarForJar the first time, supplying fake Jar addresses created earlier which withdraws deleveraged invested DAI from the compound back to pDAI Jar. 
    4. attacker calls earn() function 3 three times on pDAI (Pickling Dai) minting cDAI to StrategyCmpdDaiV2 contract.
    5. The attacker deploys another two fake Jars & a fake underlying.
      1. Third Jar
      2. Fourth Jar
      3. Fake Underlying contract
    6. Then the attacker calls swapExactJarForJar, this time passes in the third & fourth Jar with crafted data that makes a function call to curve proxy in the context of the controller-v4. Since the attacker has crafted the Jar to work with the contract it bypasses checks to the point where arbitrary code is executed in the context of the controller-v4 contract. Then withdraw() is called to withdraw 950,818,864 cDAI to controller-v4. The withdrawn cDAI are deposited to the fake Jar through deposit() and all cDAI is transferred to the attacker.
    7. The attacker calls redeemUnderlying on the compound to convert all cDAI to DAI & walks away with ~19M DAI.

    Try It Yourself!

    We have put together a GitHub repository to reproduce the attack. Here is the Github repo.

    Also take a look at Rari Capital Hack Analysis & POC

    More Hack Analysis

     HUNDRED FINANCE - April 15, 2023

    On April 15th, 2023, Hundred Finance was hacked, resulting in a loss of approximately $7.4 million USD in various cryptocurrencies. The attacker exploited an integer rounding vulnerability in the platform's contract logic when a market was empty.

    Gul Hameed
    June 21, 2023
    BonqDAO - February 3, 2023

    The BonqDAO security breach that occurred on February 2, 2023, had far-reaching consequences for the platform, its users, and the wider DeFi ecosystem. The attack exploited a vulnerability in the integration of the Tellor Oracle system, which BonqDAO relied on for obtaining token price information.

    Gul Hameed
    September 22, 2023
    Euler Finance (March 14, 2023)

    The Euler Finance hack had a devastating impact on the platform and its users, with approximately $197 million worth of assets stolen, including ETH, WBTC, USDC, and DAI. This placed Euler Finance at number 6 on the leaderboard of the largest DeFi hacks. The platform's total value locked (TVL) dropped from $264 million to just $10 million.

    Gul Hameed
    March 14, 2023
    Dforce Network - February 13, 2023

    The attack on dForce network had significant consequences for the platform and its users. By exploiting a reentrancy vulnerability in the wstETH/ETH pool on Curve and the dForce wstETH/ETH Vault, the attacker was able to manipulate the virtual price of the pool, which in turn affected the oracle used by the dForce wstETH/ETH Vault

    Gul Hameed
    June 14, 2023
    Rari Capital Hack Analysis & POC

    Rari capital got hacked for around $79M through a classic re-entrancy attack. Rari is a fork of compound finance which had this bug fixed earlier. It is not the first time Rari has been a victim of a hack.

    Abdul Sami J.
    May 4, 2022
    DeFiGeek Community JAPAN - Hack Analysis (Apr 17, 2023)

    On Apr 17, 2023. The DeFiGeek Community fell victim to a security breach in which an attacker exploited a flash loan vulnerability, causing the loss of 10 ETH (valued at over $20,000) from their DeFiGeek Community Pool Dai (fDAI-102

    Gul Hameed
    May 31, 2023
    Merlin DEX - April 26, 2023

    In April 2023, Merlin DEX,a decentralized exchange (DEX) built on ZkSync, suffered a hack during a Liquidity Generation Event for its MAGE token, resulting in an estimated loss of $1.8 million from the protocol.

    Gul Hameed
    July 12, 2023
    Dexible - February 20, 2023

    The Dexible hack affected a total of 17 user accounts, with the majority of losses coming from a single address belonging to BlockTower Capital, a prominent investment firm.

    Gul Hameed
    August 25, 2023
    Kokomo Finance - Hack Analysis (March 27, 2023)

    Kokomo Finance has taken off with approximately $4 million worth of user funds, leaving users unable to withdraw their funds. Wrapped Bitcoin deposits were rugged, with almost $2M of tokens still remaining in the project’s pools on Optimism.

    Gul Hameed
    August 8, 2023
    1 2 3
    Designed & Developed by: 
    All rights reserved. Copyright 2023