At the beginning of the attack

On February 2, 2022, at 18:24:13 UTC, a mysterious attacker launched an attack on the Wormhole cross-chain bridge on the Solana blockchain. The attacker’s address was https://solscan.io/account/CxegPrfn2ge5dNiQberUrQJkHCcimeR4VXkeawcFBBka, and the target of the attack was the bridge itself. Ultimately, the attacker successfully obtained 120,000 WETH from the Solana chain and transferred it to Ethereum through the cross-chain bridge.

Without going into the specifics, we know that the attacker has successfully transferred the acquired WETH to their address on Ethereum. The largest transfer was worth 93,750 WETH and the address can be found at https://etherscan.io/address/0x629e7da20197a5429d30da36e77d06cdf796b71a. Subsequently, the attacker made a final transaction to extract the WETH from the WETH contract. The largest transaction, which can be found at https://etherscan.io/tx/0xacd309b02e4b533484d148de9ab0adf367ed4e70ed751d1ff036152dc3bc0479, obtained 80,000 ETH.

Afterward, the attacker disappeared and left behind this shocking event…

Recent events

On February 21st, how was the recovery of 120,000 ETH achieved(https://twitter.com/Evan_ss6/status/1629231991366291457)? Let’s continue with the story:

After nearly a year of silence, the attacker suddenly became active again. The first transaction was a simple transfer: https://etherscan.io/tx/0x467a992fbfa162f3c83b21a9e150aae1c566360d82e9ea4883752901c66dc02c.

Then, using the 93,750 ETH in its possession, the attacker exchanged it for 95,677 stETH on OpenOcean (https://etherscan.io/address/0x6352a56caadc4f1e25cd6c75970fa768a3304e64) through the transaction: https://etherscan.io/tx/0x5b7a789deafa61792c62e17f2b18e8a76ca995b77853ba54d20d755a98120a5b.

Subsequently, the attacker exchanged 95,677 stETH in its possession for 85,673 wstETH on Lido’s exchange contract (https://etherscan.io/token/0xae7ab96520de3a18e5e111b5eaab095312d7fe84) through the transaction: https://etherscan.io/tx/0x38a32f29629676d3485f341aec0d59317246763ba01e6d1202aef4ba8e462220. The attacker still had around 25,000 ETH in its possession, which was also exchanged for wstETH.

This way, the attacker exchanged most of its profit in ETH for 85,673 wstETH. So, what is wstETH, and how does the Oasis Vault work? We need to understand these concepts to better understand how the money was saved.

What is Oasis Vault？

Oasis. the app was founded in 2019 to enable users to interact with the Maker protocol. This decentralized finance platform allows its users to borrow Dai and make the most of their encrypted assets. In this process, anyone can open a Vault, collateralize wstETH, borrow DAI, and carry out financial operations.

On Oasis. app’s official website at https://kb.oasis.app/help/why-open-a-vault, they offer several advantages of this operation mechanism, including increasing risk exposure, increasing liquidity, and generating passive income, among others.

What are the design features of Oasis Vault?

Oasis has interesting features, namely Auto Buy and Auto Sell. In the description of the feature, Auto Buy and Auto Sell can automatically manage the collateral ratio of the Vault. With just a few clicks, you can create an automation strategy that executes at a pre-configured trigger point, moving the collateral ratio of the Vault to the target value.

What does it have to do with attacks?

After only 9 minutes of opening the Vault, the attacker seemed to want to avoid unexpected losses in the volatile cryptocurrency market. He opened the auto-trading mode which was enabled by the AutomationBot feature used by Oasis.

For example, in the case of the Vault 30100 opened by the attacker, its address can be found at https://etherscan.io/address/0x4288382dd4e559dc79dc62595ff27251c7c7a2f2#code. The attacker opened a Vault with the intention of enabling auto-buy and auto-sell, which involves an additional transaction. After 9 minutes of opening the Vault, the attacker activated this feature through the transaction found at https://etherscan.io/tx/0xf11f1225b61fcce8e7fc49097e3e09a50dce65f46b7178054005841d831d8ae2.

What actions does this auto-trading perform on the Vault? The AutomationBot contract plays a critical role here, with its proxy contract found at https://etherscan.io/address/0x4288382dd4e559dc79dc62595ff27251c7c7a2f2#code and its logic contract at https://etherscan.io/address/0x6e87a7a0a03e51a741075fdf4d1fcce39a4df01b#code.

Whenever auto-trading is added, the AutomationBot contract is called. Firstly, the transaction that activates the feature will call the addTrigger function in the AutomationBot contract, which will add the supported Vault to its contract. Secondly, and most importantly, the proxy contract corresponding to AutomationBot will be granted access to the Vault.

However, an upgradeable proxy contract means that its logic can be replaced.

Core steps

After a series of operations, the attacker’s money was stored in the vault and obtained DAI, while granting AutomationBot, an upgradable contract, access to the funds in the vault.

So how was the money saved? Let’s take a look at the key transaction. The core rescue transaction occurred at https://etherscan.io/tx/0x4f4117317a9f69915cbd060dc649c91bdc2963ea326ede46b14a2d8ef9007617.

Before analyzing this transaction, we need to know that the initial transaction that initiated the rescue occurred at https://etherscan.io/tx/0x1c50b75828613d94082c64affb9fb03e2d0566353b38d304a1a9963161b1b1dc, where the owner was added：

https://miro.medium.com/v2/resize:fit:1400/0*92V4cGm7RLnGgOoa

Specifically, the purpose of this initial transaction is to add a signer to the Oasis Multisig, which is necessary for the subsequent preparations.

So how did the core rescue transaction work? Let’s take a look:

• The first key point is that the logic address of AutomationBot was updated to Oasis Multisig.

https://miro.medium.com/v2/resize:fit:1400/0*MHzLQ5rEuSd9_GY5

• The second key point is that after obtaining permission, the funds in the original Vault were transferred to a new Vault, and the permission was transferred to 0x85f…

We can take a look at the contract code for the updated rescue fund contract. Although the source code is not publicly available, we can glean some insights into its logic from the decompiled results:

Which Corresponding to:

https://miro.medium.com/v2/resize:fit:1400/0*oG8rTRCU5FlBszmY

Specifically, it transferred 120695 wstETHs from Vault 30100 to Vault 30231

https://miro.medium.com/v2/resize:fit:1400/0*b-8BNrgGykTFvKbx

With this core step, the rescue of attackers’ funds is completed

Of course, after funding is rescued, the original Vault 30100 still needs to be restored, as follows:

https://miro.medium.com/v2/resize:fit:1400/0*u98zru2CbtiudH8A

Finally, funds were saved

Summary

This is a fund-recovering mechanism that utilizes multi-sig permission as the foundation, contract upgrade as the core, and Vault fund transfer as the technique.

Is it possible to cause risks to other normal users’ funds? No need to worry because every such operation requires a multi-sig process and the security of multi-sig ensures that the malice of an individual will not cause it. But this reminds us that the complex logic brought by the combinability and upgradeability of smart contracts will be a complex issue facing DeFi security in the future.

At the same time, the emergence of investment desires in individuals seems to be unavoidable, even for attackers who earn such high returns.

What else is interesting?

During the month in which the attacker remained silent after the attack, he received messages, one of which was sent to them by the Wormhole team. In the transaction https://etherscan.io/tx/0x63d83b510a744b00f8e33470873ce4e53a5551e39ece35e45a5ca202b471a913, the message was decoded and revealed to be:

We would like to reiterate our previous offer of a $10 million bounty for the total return of all the stolen funds. You can reach out to us at bounty@wormholenetwork.com or reply on the chain.

Unfortunately, it seems that the attacker did not pay attention to this second bounty opportunity and missed out on a potential reward of 10 million USD.

One day later, in the transaction https://etherscan.io/tx/0x3d675cec5255b7b60f761af0b7690685c801da7a5586caa311a607b39b95155d, the attacker received another message, which is:

Hello. Would you please consider supporting my project? There are several ways to do so. You could purchase tokens on Uniswap, you can mint our digital collectibles in the very near future, or you can simply send ETH to this wallet address. Any amount would be greatly appreciated (of course, 100 ETH would be amazing though LOL). Whale support would mean a great deal for our project, and would change the lives of everyone involved and the lives of their families. The website for the project and the contract address for the token are below: Website: https://ethmonarchclub.com Token Contract Address: 0x15ea036F8540d4c7aDA666Ea4F07617b4DA8dF5C

Try our product for FREE to scan the smart contracts you care about.

• Sign-up：https://app.metatrust.io/sign-up
• Sign-in：https://app.metatrust.io/sign-in

Twitter: https://twitter.com/MetatrustLabs

Website: https://metatrust.io/