Decoding Ara Protocol’s Flash Loan Exploit

Decoding Ara Protocol’s Flash Loan Exploit

Decoding Ara Protocol’s Flash Loan Exploit

Decoding Ara Protocol’s Flash Loan Exploit

Decoding Ara Protocol’s Flash Loan Exploit

Read Time: 3 minutes

Summary

On June 18, 2023, the Ara Protocol on the BNB Chain was attacked due to an access control vulnerability. The hackers exploited this vulnerability to steal around $125K. 

About Project

Ara is a content-based protocol that uses decentralized rewards and distribution to deliver content directly to consumers. The Ara token is a BEP20 token that is used by publishers, consumers, and users to deliver content in the system and earn rewards. 

To learn more about the Project, check out the official documentation.


Vulnerability Analysis & Impact

On-Chain Details

Attacker Address: 0xf84efa8a9f7e68855cf17eaac9c2f97a9d131366

Attacker Contract: 0x98e241bd3be918e0d927af81b430be00d86b04f9

ARA Token Contract: 0x5542958fa9bd89c96cb86d1a6cb7a3e644a3d46e

Vulnerable Contract: 0x7ba5dd9bb357afa2231446198c75bac17cefcda9 

Attack Transaction: 0xd87cdecd5320301bf9a985cc17f6944e7e7c1fbb471c80076ef2d031cc3023b2

The Root Cause

The root cause of the attack was a bug in the lack of proper access control in the contract. Specifically, there was a vulnerability in the ARA’s contract that allowed an attacker to use the approval of other addresses. 

The 0xB817E address had a large approval of USDT and ARA tokens to swap contracts. The swap contract failed to implement proper restrictions on the amount of funds that could be transferred by the caller for swapping purposes. This allowed the attacker to exploit the vulnerability and manipulate the price of the token and gain profits.

Attack Process

The attacker initiated a flash loan of 1,202,701 USDT from DODO. Subsequently, the attacker called the swap contract and swapped 163,497 ARA tokens for 123,246 USDT.

Using the entire flash loan amount of 1,202,701 USDT, the attacker swapped it for 504,469 ARA tokens, resulting in a significant increase in the price of the $ARA token.

The attacker then made another call to the swap contract, swapping 132,123 USDT for 12,179 ARA tokens, allowing an approved address to acquire $ARA at an inflated price.

Finally, the attacker executed another swap, swapping the previously acquired 504,469 ARA tokens into 1,327,617 USDT. After repaying the flash loan, the attacker achieved a profit of approximately 125K USDT.

The first attack was unsuccessful due to insufficient gas. A bot was able to front-run the transaction and execute it successfully.

Failed txn: 0xd7926f596154125b573f8f195e08c3eb47be4948d13b1fdfb48282938e122879

The Flow of Funds

Attacker’s Wallets

As of writing this blog, the attacker has around 20 BNB (worth around $4919) in their wallet.


After the Exploit

The project has not made any official announcements or tweets regarding the exploit.


How could they have prevented the Exploit?

Implementing the following measures could have significantly mitigated the risk of the attack and help strengthen the security of the Protocol:

Access Control: The contract should incorporate robust access control mechanisms to ensure that only authorized addresses have the necessary permissions for critical operations. This prevents unauthorized parties from manipulating contract functionalities.

Approval Limitations: The approval process should enforce limitations on the amount of funds granted to other contracts or addresses. By setting appropriate restrictions, the contract can mitigate the potential risks associated with unlimited approvals and reduce the attack surface for potential exploits.

Security Audits: Conduct comprehensive security audits of the smart contract code by reputable third-party firms specializing in smart contract security. These audits can help identify vulnerabilities and weaknesses in the codebase and provide recommendations for strengthening the contract’s security.

Reproducing the hack

We will be using the Foundry framework for POC.

The exploit PoC link can be found here.


Web3 security- Need of the hour

Why QuillAudits For Web3 Security? QuillAudits is well-equipped with tools and expertise to provide cybersecurity solutions saving the loss of millions in funds.

Want more Such Security Blogs & Reports?

Connect with QuillAudits on :

Linkedin | Twitter | Website | Newsletter | Discord | Telegram

Partner with QuillAudits

2,187 Views

Blockchain for dog nose wrinkles' Ponzi makes off ~$127M🐶

Project promised up to 150% returns on investment in 100 days, raising about 166.4 billion South Korean won — or about $127 million — from 22,000 people.

Latest blogs for this week

Understanding Fuzzing and Fuzz Testing: A Vital Tool in Web3 Security

Read Time: 5 minutes When it comes to smart contracts, ensuring the robustness and security of code is paramount. Many techniques are employed to safeguard these contracts against vulnerabilities
Read More

How EigenLayer’s Restaking Enhances Security and Rewards in DeFi

Read Time: 7 minutes Decentralized finance (DeFi) relies on Ethereum staking to secure the blockchain and maintain consensus. Restaking allows liquid staking tokens to be staked with validators in
Read More

ERC 404 Standard: Everything You Need to Know

Read Time: 7 minutes Introduction Ethereum has significantly shaped the crypto world with its introduction of smart contracts and decentralized applications (DApps). This has led to innovative developments in
Read More

DNS Attacks:  Cascading Effects and Mitigation Strategies

Read Time: 8 minutes Introduction DNS security is vital for a safe online space. DNS translates domain names to IP addresses, crucial for internet functionality. DNS ensures unique name-value
Read More

EIP-4844 Explained: The Key to Ethereum’s Scalability with Protodanksharding

Read Time: 7 minutes Introduction  Ethereum, the driving force behind dApps, has struggled with scalability. High fees and slow processing have limited its potential. They have kept it from
Read More

QuillAudits Powers Supermoon at ETH Denver!

Read Time: 4 minutes Calling all the brightest minds and leaders in the crypto world! Are you ready to build, connect, and innovate at the hottest event during ETH
Read More

Decoding the Role of Artificial Intelligence in Metaverse and Web3

Read Time: 7 minutes Introduction  Experts predict a transformative shift in global software, driven by AI and ML, marking the dawn of a new era. PwC predicts AI will
Read More

Transforming Assets: Unlocking Real-World Asset Tokenization

Read Time: 7 minutes In the blockchain, real-world assets (RWAs) are digital tokens that stand for tangible and conventional financial assets, including money, raw materials, stocks, and bonds. As
Read More
Scroll to Top

Become a Quiffiliate!
Join our mission to safeguard web3

Sounds Interesting, Right? All you have to do is:

1

Refer QuillAudits to Web3 projects for audits.

2

Earn rewards as we conclude the audits.

3

Thereby help us Secure web3 ecosystem.

Total Rewards Shared Out: $200K+