Yearn Vulnerability disclosure 2022-11-01

YFI CRYPTO_NEWS

Vulnerability disclosure 2022-11-01

 

Summary

  •  
  • During a routine check, irregularities were discovered in the amount of SPELL bribes being claimed by some users of the BribeV2 contract. Following analysis, it was determined to be an attacker exploiting a flaw in the way the contract calculates bribe allocations.
  •  
  • The flaw causes bribes to be allocated based on each user's locked amount of CRV rather than allocating based on their veCRV balance.
  •  
  • The attacker was found to have exploited this since September 2021, tricking the contract into awarding them higher allocations than they should deserve for the actual weight they contributed to a gauge.
  •  
  • Other BribeV2 users were unknowingly subject to faulty bribe calculations due to the fact that lock time was not taken into account.
  •  
  • Yearn developers patched the vulnerability and deployed a new version of the contract (yBribe) which properly allocates bribes to users.*

 

Disclaimer: The Yearn team did not write or deploy the original BribeV2 contract. However, as a heavy user of it, decided to act quickly to deploy a new contract so that operations could resume.

 

Background

Curve Finance have pioneered a now popular tokenomics system known as veCRV which allows users to lock tokens for up to 4 years with a balance that decays every block until the lock expires or is extended. As their veCRV balance decays, so does their relative influence over Curve governance, including gauge voting.

The BribeV2 contract was released as a trustless mechanism for entities (usually protocols) to incentivize veCRV voters to cast votes for their desired gauge, increasing the amount of CRV emissions to that gauge. A briber would simply deposit tokens into BribeV2, and the contract reads from Curve's Gauge Controller to calculate token allocations for each voter according to their global influence on the gauge weights.

Importantly, gauge weights are determined not by a user's locked amount, but by their veCRV balance which is a time-based decayed representation of their locked amount.

Whilst preparing an internal report for Yearn's Curve Voting + Bribes committee, Yearn devs discovered irregularities in the amount of SPELL bribes being claimed each week from BribeV2[1].

In particular, one user[2] was claiming over 20% of the weekly SPELL rewards, via multiple wallets[3], despite having relatively small veCRV[4] balances in each.

 

Details of vulnerability

The source of the irregularities had to do with BribeV2 utilizing the slope value for users and gauges in the Gauge Controller rather than bias value [5].

 

A user's slope value in the veCRV system is a representation of the decay rate per second on their locked amount, but completely ignores their lock duration. This is a critical flaw because it allows someone with a short lock to get paid out at an equal rate to someone with a long lock on the same amount. Crucially, this method does not match how the Gauge Controller assigns gauge weights, which does indeed take lock time into account.

 

This issue can lead to the following exploit:

  1. The numbers used by BribeV2 are stale. Only up-to-date from the last time the claimer voted. A claimer can withdraw all of their veCRV after voting and BribeV2 won’t know.
  2. BribeV2 checks voting power based on how much is locked rather than what the voting balance is. A user locking for one week will get the same share as a user locking for 4 years.

BribeV2 incorrectly uses a user's slope (which is determined by the amount of CRV they lock). As a part of this report, Yearn devs produced a detailed comparison of slope and bias[6].

 

The combination of the two means there is an exploit where a user can:

  1. Lock 1m CRV for the minimum amount of time (7 days)
  2. Vote for a gauge with a veCRV balance of 4,808 (1m CRV / 208 weeks) but claim rewards based on a gauge vote of 1m veCRV.
  3. Withdraw 1m CRV as soon as possible
  4. Continue to claim rewards every week forever

Because the CRV can be withdrawn after a week, an exploiter can cycle the same CRV through multiple wallets getting perpetual rewards forever on each, as can be seen in this proof of concept of the exploit[7].

 

 

Source : github.com/yearn/yearn-security/blob/master/disclosures/2022-11-01.md undefined - November 15, 2022

Join our 60k+
tribe of Akters

Have any questions?

We're here to help.

Learn more

About the AKTIO coin

AKTIO is now live!

Learn more about the AKTIO coin

What’s new in the App?

We’re adding new features

Find out more about the App

Customer support

support@akt.io

+353 1 574 7382

Opening hours:

Monday to Friday: 9am - 5pm CET

Company

About

AKTIO coin

Careers

Learn

Blog

News

Glossary

AKT Academy

Help

FAQ

Sitemap

System Status

Follow our latest news

Automata Pay

65-66 Warwick House 4th

Floor, Queen Street, London

England, EC4R 1EB

Automata ICO Ltd

3rd Floor Ormond Building,

31-36 Ormond Quay Upper,

Dublin 7, D07 Ee37

Automata Pay Europe Ltd

3rd Floor Ormond Building,

31-36 Ormond Quay Upper,

Dublin 7, D07 Ee37

Automata Pay Ltd, Reg number 12208424 and incorporated in the United Kingdom is the registered agent of Modulr FS Limited, a company registered in England with company number 09897919, authorised and regulated by the Financial Conduct Authority as an Electronic Money Institution (Firm Reference Number: 900573). Traditional currency will be safeguarded by a licensed bank in segregated accounts in accordance with regulatory requirements.

Automata Pay Europe Limited, Reg number 69028 and incorporated in Ireland is the registered agent of Modulr FS Europe Limited, a company registered in Ireland with company number 638002, authorised and regulated by the Central Bank of Ireland as an Electronic Money Institution (Institution Code C191242). Traditional currency is safeguarded as e-money in accordance with our regulatory obligations. Traditional currency will be safeguarded by a licensed bank in segregated accounts in accordance with regulatory requirements.

Automata ICO Limited, Reg number 690280 and incorporated in Ireland has applied for a Virtual Asset Service Provider registration with the Central Bank of Ireland. Whilst the application is ongoing we are permitted to continue business as a Virtual Asset Service Provider in line with the Central Bank of Ireland's regulatory disclosure statement as required under section 106L of the CJA 2010 in relation to registered VASPS. It is important to note that a registration as a VASP is a registration for Anti-Money Laundering (AML) and Combatting the Financing of Terrorism (CFT) purposes only. While Automata ICO Limited does have certain financial crime control obligations under this registration, cryptoasset services remain largely unregulated. The Financial Ombudsman Service or the Financial Services Compensation Scheme do not apply to the cryptoasset activities carried on by Automata ICO Limited.