In the summer of 2020, Chef Nomi (@NomiChef) [1] presented the MasterChef contract [2], one of the most redeployed contracts during the initial wave of DeFi mania. Many DeFi projects tweaked and re-deployed the MasterChef contract to build their yield farming features. However, some of them made mistakes while altering Chef Nomi’s recipe [3][4][5]. On October 6, 2021, we identified one of them.

0x00: Dinosaur Eggs

Dinosaur Eggs’ LiquidityPool contract [6] is another altered version of MasterChef with the “addtionalRate” feature. Specifically, if the user burns an NFT before depositing LP tokens, up to 10% of the deposited amount would be accounted for reward calculation.

As shown in line 327–328 above, (_amount*user.addtionalRate) would be added into user.addtionalAmount which would be referenced while deriving pending rewards and user.rewardDebt.

0x01: Loophole

Inherited from MasterChef, the emergencyWithdraw() function enables users to withdraw their LP tokens without claiming rewards in emergency situations. However, the user.additionalAmount is not reset in Dinosaur Egg’s implementation such that the next harvest() call would allow bad actors to claim extra rewards.

In line 342 of the harvest() function, pendingAmount is computed by: [(user.amount+user.additionalAmount)*pool.accRewardPerShare — user.rewardDebt]. Now, since emergencyWithdraw() resets user.amount and user.rewardDebt but leaving user.addtionalAmount unchanged, the pendingAmount turns out to be (user.addtionalAmount*pool.accRewardPerShare). Even worse, if the bad actors keep doing harvest() after emergencyWithdraw(), they could drain all the reward tokens by taking out (user.addtionalAmount*pool.accRewardPerShare) in each run with literally zero LP tokens deposited in the LiquidityPool contract.

0x02: Exploit

The above code snippets of the exploit contract proved our theory. In the prepare() function, we intentionally minted an NFT (line 36) and burned it to opt in the addtionalRate thing (line 40). After that, we deposited() some LP tokens into LiquidityPool. To claim the extra reward tokens, we performed multiple runs of emergencyWithdraw() + harvest() calls in a loop (line 48–51).

The eth-brownie screenshot above demonstrates how we claimed thousands of reward tokens (DSG) with only 30 LP tokens (DsgLP). If we had removed the emergencyWithdraw() call but performed harvest() only in the exploit contract, less than 1 DSG would have been claimed. Not to mention using flash-loans to amplify the profits.

0x04: Mitigation

The DSG team promptly confirmed the issue and worked on the patches. With the fixed emergencyWithdraw() function, the new version of LiquidityPool was deployed and users were asked to migrate their LP tokens while reward minting of the old version was stopped. Fortunately, no real exploits occurred before the completion of the migration. As part of the bounty program, the DSG team awarded us $10K equivalent DSG tokens [7] which were later donated to the nonprofit organization Open Culture Foundation (OCF) [8].

References

[1] https://twitter.com/NomiChef

[2] https://etherscan.io/address/0xc2edad668740f1aa35e4d8f227fb8e17dca888cd#code

[3] https://twitter.com/peckshield/status/1420272942030594048

[4] https://watchpug.medium.com/safedollar-exploit-root-cause-analysis-4b7ec6357a6d

[5] https://www.certik.org/blog/uranium-finance-exploit-technical-analysis

[6] https://bscscan.com/address/0x4747eeeeb4fc60630403d775264fdd4848109bf7#code

[7] https://bscscan.com/tx/0x68645f7e094daa334b922efd64cd44be1b4090cc74e9f824309ba4744aa3a354

[8] https://blog.ocf.tw/2021/11/202110_9.html

Disclaimer

The information contained in this post (the “Information”) has been prepared solely for informational purposes, is in summary form, and does not purport to be complete. The Information is not, and is not intended to be, an offer to sell, or a solicitation of an offer to purchase, any securities. The Information does not provide and should not be treated as giving investment advice. The Information does not take into account specific investment objectives, financial situation or the particular needs of any prospective investor. No representation or warranty is made, expressed or implied, with respect to the fairness, correctness, accuracy, reasonableness or completeness of the Information. We do not undertake to update the Information. It should not be regarded by prospective investors as a substitute for the exercise of their own judgment or research. Prospective investors should consult with their own legal, regulatory, tax, business, investment, financial and accounting advisers to the extent that they deem it necessary, and make any investment decisions based upon their own judgment and advice from such advisers as they deem necessary and not upon any view expressed herein.