VaultContractHack

Table of Contents

• Introduction
• Vault
• Reentrancy
• Flashloan
• References

Introduction

There are three main contracts associated with this project.

---The first contract is a simplistic version of a vault contract. A user can deposit, earn, and withdraw funds from this contract. The vault contract was created with many bugs within the code. This is for educational purposes. The two main exploits that will be emphasized are reentrancy, and draining the funds through a flashloan attack. 🤬

---The reentrancy contract will be used to attack the vault contract and will drain all the funds. A malicious actor will call the withdraw function in the vault contract before the balance is updated. Which will eventually lead to total depletion of the funds in the vault contract.

---The flashloan contract will also be used to drain all the funds of the vault contract.

Vault

Warning!! ⚠️⚠️This contract is susceptible to hacks. There are many bugs within this code. The main objective is to drain all the funds within the given contract. Therefore, we will be using a reetrancy and a flashloan attack. This is for educational purposes.⚠️⚠️

Reentrancy

1. Paste code in remix and compile appropriate version.
2. Deploy both vault and reentrancy contracts.
3. Pick an account that can send over 1 ether (attacker account).
4. Use the attack function and confirm transaction via Metamask.
5. Call get Balance function in both contracts.
6. The new balance should be 2 ether in the new account. When depositing ether, the fallback function will be activated in the attacking contract.
7. Repeat until the victim's contract is drained.

Flashloan

1. Paste code in remix.
2. Select and compile appropriate version.
3. Go to transaction menu (menu 3).
4. Change environment to injected web3.
5. Accept confirmation on Metamask.
6. Make sure that you are on the flashloan.sol contract.
7. To deploy, input the victim's contract tokens' name, symbol, and loan amount.
8. Click transact.
9. Confirm transaction.
10. Copy contract that has been created and input liquidity using Metamask wallet.
11. After you confirm transaction via Metamask, go and click action.
12. Click on flashloan action button and confirm transaction via Metamask.

    Mitigations

    Flashloan attack

    Decentralized Pricing Oracles: As most flash loan attacks depend on price manipulation, it’s necessary to counter this approach with decentralized pricing oracles. Good examples include Chainlink and Band Protocol. These platforms keep all protocols safe by presenting the accurate pricing of different cryptocurrencies.

    OppenZepplin: Implementation of OppenZepplin's Contracts will helps minimize risk by using battle-tested libraries of smart contracts for Ethereum and other blockchains

    Reentrancy

    Check-effects-interactions patterns: First perform any checks, which are normally assert and require statements, at the beginning of the function. If the checks pass, the function should then resolve all the effects to the state of the contract. Only after all state changes are resolved should the function interact with other contracts. By calling external functions last, even if an attacker makes a recursive call to the original function they cannot abuse the state of the contract.

    Mutex: A mutex places a lock on the contract state. Only the owner of the lock can modify the state.

    References

    https://medium.com/coinmonks/protect-your-solidity-smart-contracts-from-reentrancy-attacks-9972c3af7c21

    https://consensys.github.io/smart-contract-best-practices/attacks/reentrancy/

    https://medium.com/geekculture/what-is-a-defi-flash-loans-flash-loan-attack-c130c83d9811