On June 10, 2023, Beijing time, Atlantis experienced a proposal attack, resulting in a loss of nearly $1 million. The attackers have made profits of approximately $110,000.

SharkTeam conducted a technical analysis of the incident promptly and summarized security measures. We hope that lessons learned from this event can serve as a reminder for future projects, and together we can build a stronger security defense for the blockchain industry.

1. Incident analysis

Attacker address:

0xeade071ff23bcef312dec938ece29f7da62cf45b

Attack contract:

0x027383C520c289cB5c4B66F8E0c8CA65D0769094

0x613CC544053812aB026d60361212Cdb67B46f42f

0xDc8B8D77d8315de469a806e02f38278E38bDBD0B (fake proposal contract)

Attacked contract:

0x558B96Ee93Ea9C7ec9839BEAfab641d75F94E9a3

Initiate a proposal transaction:

0xac1e694f57db4fdef3275f93b651f62b18d7cb0b3c06977e99b56f2968554afd

Attack transactions:

0xa238ca2d2c57c1678866783b074a0c1204cfaa8c37a383c61a6b8e948d40e3fe

Attack Process:

(1) Firstly, the attacker (0xeade071f) initiated a proposal to the targeted contract (0x558B96Ee) through the attacking contract (0x027383C5). The proposal aimed to modify the admin of the contract.

(2) After a waiting period of 28,800 blocks, which is the voting period for the proposal, the attacker proceeded to vote on the proposal, increasing the forVotes value of the proposal.

(3) The attacker added the proposal to the execution queue of the time lock.

(4) After a waiting period of 172,800 seconds, the proposal was executed, and the admin of the contract was set to the fake proposal contract (0xDc8B8D77).

(5) By invoking the fake proposal contract (0xDc8B8D77), the logic contract of the targeted contract (0x558B96Ee) was set to the attack contract (0x613CC544).

(6) By calling the targeted contract (0x558B96Ee), the attacker actually invoked the backdoor function in the attack contract (0x613CC544) to transfer the authorized user tokens from the targeted contract (0x558B96Ee).

2. Vulnerability Analysis

The governance contract exhibits significant flaws in its logic.

Before adding the proposal to the execution queue of the time lock contract, the verification of the current status of the proposal was not properly conducted.

Due to the bypassing of previous conditions and the fact that eta was initially set to 0 during proposal creation, achieving the Succeeded status of the proposal becomes relatively easy. Once the proposal reaches the Succeeded status, it can be added to the execution queue of the time lock. At this point, it only requires waiting for 172,800 seconds for the current proposal to be executed, completing the attack.

3. Security Recommendations

In light of this attack incident, we should adhere to the following considerations during the development process:

(1) Strictly validate the correctness of the logic when implementing the proposal approval process.

(2) Prior to project deployment, engage a third-party security auditing company to conduct a thorough security audit of the contract logic code.

About us

SharkTeam’s vision is to comprehensively protect the security of the Web3 world. The team is composed of experienced security professionals and senior researchers from all over the world. They are proficient in the underlying theory of blockchain and smart contracts, and provide services including smart contract auditing, on-chain analysis, and emergency response. It has established long-term cooperative relationships with key players in various fields of the blockchain ecosystem, such as Polkadot, Moonbeam, polygon, OKC, Huobi Global, imToken, ChainIDE, etc.
Official website: https://www.sharkteam.org/
Twitter: https://twitter.com/sharkteamorg
Discord: https://discord.gg/jGH9xXCjDZ
Telegram: https://t.me/sharkteamorg