Summary
On June 18, 2023, the Ara Protocol on the BNB Chain was attacked due to an access control vulnerability. The hackers exploited this vulnerability to steal around $125K.
About Project
Ara is a content-based protocol that uses decentralized rewards and distribution to deliver content directly to consumers. The Ara token is a BEP20 token that is used by publishers, consumers, and users to deliver content in the system and earn rewards.
To learn more about the Project, check out the official documentation.
Vulnerability Analysis & Impact
On-Chain Details
Attacker Address: 0xf84efa8a9f7e68855cf17eaac9c2f97a9d131366
Attacker Contract: 0x98e241bd3be918e0d927af81b430be00d86b04f9
ARA Token Contract: 0x5542958fa9bd89c96cb86d1a6cb7a3e644a3d46e
Vulnerable Contract: 0x7ba5dd9bb357afa2231446198c75bac17cefcda9
Attack Transaction: 0xd87cdecd5320301bf9a985cc17f6944e7e7c1fbb471c80076ef2d031cc3023b2
The Root Cause
The root cause of the attack was a bug in the lack of proper access control in the contract. Specifically, there was a vulnerability in the ARA’s contract that allowed an attacker to use the approval of other addresses.
The 0xB817E address had a large approval of USDT and ARA tokens to swap contracts. The swap contract failed to implement proper restrictions on the amount of funds that could be transferred by the caller for swapping purposes. This allowed the attacker to exploit the vulnerability and manipulate the price of the token and gain profits.
Attack Process
The attacker initiated a flash loan of 1,202,701 USDT from DODO. Subsequently, the attacker called the swap contract and swapped 163,497 ARA tokens for 123,246 USDT.
Using the entire flash loan amount of 1,202,701 USDT, the attacker swapped it for 504,469 ARA tokens, resulting in a significant increase in the price of the $ARA token.
The attacker then made another call to the swap contract, swapping 132,123 USDT for 12,179 ARA tokens, allowing an approved address to acquire $ARA at an inflated price.
Finally, the attacker executed another swap, swapping the previously acquired 504,469 ARA tokens into 1,327,617 USDT. After repaying the flash loan, the attacker achieved a profit of approximately 125K USDT.
The first attack was unsuccessful due to insufficient gas. A bot was able to front-run the transaction and execute it successfully.
Failed txn: 0xd7926f596154125b573f8f195e08c3eb47be4948d13b1fdfb48282938e122879
The Flow of Funds
Attacker’s Wallets
As of writing this blog, the attacker has around 20 BNB (worth around $4919) in their wallet.
After the Exploit
The project has not made any official announcements or tweets regarding the exploit.
How could they have prevented the Exploit?
Implementing the following measures could have significantly mitigated the risk of the attack and help strengthen the security of the Protocol:
Access Control: The contract should incorporate robust access control mechanisms to ensure that only authorized addresses have the necessary permissions for critical operations. This prevents unauthorized parties from manipulating contract functionalities.
Approval Limitations: The approval process should enforce limitations on the amount of funds granted to other contracts or addresses. By setting appropriate restrictions, the contract can mitigate the potential risks associated with unlimited approvals and reduce the attack surface for potential exploits.
Security Audits: Conduct comprehensive security audits of the smart contract code by reputable third-party firms specializing in smart contract security. These audits can help identify vulnerabilities and weaknesses in the codebase and provide recommendations for strengthening the contract’s security.
Reproducing the hack
We will be using the Foundry framework for POC.
The exploit PoC link can be found here.
Web3 security- Need of the hour
Why QuillAudits For Web3 Security? QuillAudits is well-equipped with tools and expertise to provide cybersecurity solutions saving the loss of millions in funds.
Want more Such Security Blogs & Reports?
Connect with QuillAudits on :
Linkedin | Twitter | Website | Newsletter | Discord | Telegram
Partner with QuillAudits
- Affiliate program ( Refer and secure web3 )
- QuillAudits Partnership Programme ( Venture funds, launchpads, development companies, marketing firms, web2 cybersecurity firms, web3 products )
- Join Ambassador program
