Cointime

Cointime

Download App
iOS & Android

How Was Rubic Protocol Hacked?

Validated Project

TL;DR

On December 25, 2022, the Rubic protocol was compromised, resulting in a loss of over $1.4 million.

Introduction to Rubic

Rubic is a cross-chain technology aggregator for users and dApps that aggregates various blockchains, different DEXs and bridges, and allows for the exchanging of a wide range of assets.

Vulnerability Assessment

The root cause of the vulnerability is that the Rubic protocol incorrectly added USDC tokens to the Router whitelist, resulting in the theft of USDC tokens from the users authorized to the RubicProxy contract.

Steps

Step 1:

Rubic is a DEX cross-chain aggregator, so users on their platform can swap tokens via a function call in the RubicProxy contract.

Step 2:

During this process, it will first determine whether or not the target Router of the necessary call passed in by the user is included in the protocol’s whitelist.

Step 3:

The user-supplied target Router will be called only after the whitelist check, and the calling data will also be supplied by the user.

Step 4:

As USDC tokens were incorrectly added to the whitelist of the protocol, any user could arbitrarily call USDC tokens through the RubicProxy contract.

Step 5:

The perpetrator used this opportunity to call the USDC contract through a function call, in order to transfer the USDC tokens to their address from the users who had authorized to the RubicProxy contract.

Step 6:

In here, you can view one of the attack transactions carried out by the exploiter, in which USDC tokens from multiple users have been transferred to their addresses.

Step 7:

The attacker sent 1,100 ETH worth of the stolen funds to Tornado Cash.

Aftermath

After the incident, Rubic issued a statement confirming the occurrence of the hack and requested users to revoke their access as soon as possible. The team will undertake audits with two independent agencies in the weeks to come, and approximately 49 affected users will be compensated for their loss.

The team further issued another statement to provide a brief summary of the incident.

Solution

While performing smart contract audits can assist in identifying and addressing potential vulnerabilities, they are insufficient to fully prevent a contract from being hacked. Stringent tests should also be run in simulated scenarios to find any potential programming errors or weaknesses in order to guarantee the security and dependability of a smart contract to a greater extent. These tests ought to replicate a range of circumstances and situations that the contract might experience in the real world, including both anticipated and unforeseen circumstances.

Comments

All Comments

Recommended for you

  • Matrixport: Solana’s funding rate is currently as high as 70% annualized, and a price correction may occur

    According to a report, Matrixport has released a chart today stating that Grayscale has submitted an application to convert Solana Trust into a spot ETF. Although the current asset management scale of the product is relatively small at $134 million, if approved, it will set an important market precedent for other ETF issuers. It is important to note that Solana's financing rate is currently as high as 70% annualized, which creates significant pressure on leveraged long positions. Historical experience shows that similar high financing rates are often related to price corrections, as was the case in March of this year when the SOL-USDT price fell under similar financing rate backgrounds.

  • Japanese Prime Minister Shigeru Ishiba is cautious about separate taxation of cryptocurrencies and approval of ETFs

     Japanese Prime Minister Shizuo Shima expressed caution about the unified 20% separate taxation rule for cryptocurrency in a representative issue at a plenary session of the House of Representatives. "Is it appropriate to encourage investment in cryptocurrency such as stocks and investment trusts that have investor protection regulations? Will the public understand the idea of applying separate self-assessment taxation? There are several issues that need to be resolved. We need to consider it carefully." At the same time, "whether cryptocurrency should be included in ETFs depends on whether cryptocurrency is an asset that needs to be made more easily accessible to the public."

  • AI computing economy layer GAIB completes $5 million seed round of financing, led by Hack VC, Faction VC and Hashed

    GAIB, an AI computing economic layer, announced the completion of a $5 million seed round of financing, with Hack VC, Faction VC, and Hashed leading the investment. Other participating investors include Spartan, Animoca Brands, MH Ventures, Aethir, Near Foundation, Chris Yin from Plume Network, and Lucas Kozinski from Renzo Protocol.

  • Cadenza, an investment institution focusing on blockchain and AI, has raised $50 million for its early-stage AI venture capital fund

     Cadenza, a risk investment company focusing on blockchain and artificial intelligence, announced that its early AI venture capital fund has raised $50 million. The new fund will focus on seed and pre-seed investments, with a focus on infrastructure and enterprise applications. Cadenza's investment portfolio in the Web3 field currently includes: Web3 infrastructure Validation Cloud, Malaysian digital asset exchange Hata, Web3 API platform Uniblock, L1 blockchain Linera, and encrypted wallet application Zulu.

  • Union Completes $12 Million Series A Funding, Led by Gumi Cryptos Capital and Others

    cross-chain settlement layer Union has announced the completion of a $12 million Series A financing round, led by Gumi Cryptos Capital and Longhash Ventures, with participation from Borderless Capital and Blockchange, as well as blockchain founders from Polygon, Movement, and Berachain. The funding will be used for core team expansion, partner integration, and ecosystem development.

  • Russia sentences Hydra market founder to life in prison

     Stanislav Moiseev, founder of the online black market and cryptocurrency mixing service Hydra, has been sentenced to life imprisonment by a Russian court.

  • Portal Ventures raises oversubscribed $75 million crypto fund

    , Portal Ventures, a cryptocurrency venture capital fund before the seed round, raised a $75 million cryptocurrency fund with oversubscription, supported by Chris Dixon and Marc Andreessen.

  • CointimeSG ·

    The Crypto DevRel Trap

    Why More Developers in Your Ecosystem Doesn't Translate Into More Adoption

    The Crypto DevRel Trap

  • South Korea's ruling party may ask Yoon Seok-yeol to quit the party and propose the resignation of the entire cabinet and the dismissal of the defense minister

    According to multiple media reports on December 4th, the ruling party of South Korea, the National Power Party, held an emergency meeting to discuss the measures to be taken after President Yoon Seok-yeol announced the lifting of martial law. Several attendees stated that they had reached a certain consensus on issues such as demanding Yoon Seok-yeol's resignation from the party, the resignation of the entire cabinet, and the dismissal of the Minister of Defense. Prior to this, Han Dong-hoon, a representative of the ruling party, stated that the president's decision to declare a state of emergency was wrong.

  • Asian Equities Strong, CNH Falls Amid Tariff Threat and China Economic Work Conference Expectations

    Several Asian countries, including Indonesia, Japan, Pakistan, South Korea, Taiwan, and Thailand, experienced gains of over 1% in their equities. The offshore traded renminbi fell against the US dollar early in the trading day, which could be due to President Trump's recent tariff threat or the Euro's rough outing. The Hang Seng and Hang Seng Tech indexes rose in Hong Kong, with energy and financials leading the gains. The US government added more than 130 foreign companies to its "Entity List," which requires additional licensing, and 22 Chinese provinces have announced plans to refinance RMB 1.673tn of hidden debt. Copper and steel prices gained while treasury bond prices fell.

Daily Must-Read

Popular Activities

Delysium $AGI & AI Private Yacht Party

Delysium $AGI & AI Private Yacht Party

March 27 - March 27
Seoul

Popular Tags

Cointime
News
Contents
RSS
Company