Pickle Finance Hack Analysis & POC

By Abdul Sami J.

Introduction

On 21sth November 2021, Pickle finance was hacked where an attacker was able to drain $19M DAI from pDai jar. The attack exploited multiple inconsistencies & flaws in the logic of the pickle jar smart contract.

Pre-requisite

  1. Pickle Jar contract had a function swapExactJarForJar() which was meant to be generalized to bring more flexibility to the protocol. However, the attack could have been prevented if the function checked for whitelisted ones.
  2. The attacker’s jars contains minimalist functions to functions as a jar and since the user controls Jars most of the checks can be easily bypassed.

The Exploit

The user created two Jar contracts

  1. Attacker’s Address
  2. Attack transaction
  3. Attacker’s Contract
  4. Detailed transaction trace

Steps involved in exploit

  1. The attacker deploys two new fake Jars.
    a- First Jar
    b. Second Jar

2. The attacker calls strategyCmpdDaiV2.getSuppliedUnleveraged() which returns the amount of DAI available i.e 19728769153362174946836922 ~ 19M.728 DAI

3. The attacker calls swapExactJarForJar first time, supplying fake Jar addresses created earlier which withdraws deleveraged invested DAI from compound back to pDAI Jar.

4. Attacker calls earn() function 3 three times on pDAI (Pickling Dai) minting cDAI to StrategyCmpdDaiV2 contract.

5. The attacker deploys another two fake Jars & a fake underlying.
a. Third Jar
b. Fourth Jar
c. Fake Underlying contract

6. Then the attacker calls swapExactJarForJar this time passes in third & fourth Jar with crafted data that makes a function call to curve proxy in the context of the controller-v4. Since the attacker has crafted the Jar to work with the contract it bypasses checks to the point where arbitrary code is executed in the context of the controller-v4 contract. Then withdraw() is called to withdraw 950,818,864 cDAI to controller-v4. The withdrawn cDAI are deposited to the fake Jar through deposit() and all cDAI are transferred to the attacker.

7. The attacker calls redeemUnderlying on compound to convert all cDAI to DAI & walks away with ~19M DAI.

Try it yourself!

We have put together a Github repository to re-produce the attack.

Here is the Github repo: https://github.com/abdulsamijay/Defi-Hack-Analysis-POC/tree/master/src/pickle-finance

--

--

--

We exist to build trust in the web3 ecosystem by cultivating veterans that are experts in security, testing and audits. Visit the website: https://blockapex.io

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

{UPDATE} The Ninja Assassin Creed Hack Free Resources Generator

Hack The Box — Beep Walkthrough

{UPDATE} Угадай Город HD Hack Free Resources Generator

{UPDATE} Hill Climb Bus Racing 3D Hack Free Resources Generator

Mobile App Security Vulnerabilities and How to Mitigate Them

Ethereum-Push-Notification-Service (EPNS)

{UPDATE} Lights Off Hack Free Resources Generator

{UPDATE} Let it Goat Hack Free Resources Generator

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
BlockApex

BlockApex

We exist to build trust in the web3 ecosystem by cultivating veterans that are experts in security, testing and audits. Visit the website: https://blockapex.io

More from Medium

Lunaray Token Security Scan Report

Beanstalk Hack Analysis & POC

Forward Factory — Smart Contracts, Products, and Services for Decentralized Value-Intensive…

How PNM protected $8M for ApeX Protocol: Uniswap v3 TWAP Oracle Manipulation