Lose Approximately $ 8.2 Million, Full Review of Viser Finance Hacking Incident

December 21Bing-Blockchain Security context awareness platformAccording to opinion polls, the Uniswap V3 Visor Finance financial management contract was launched at 10:18 p.m. Beijing time on or around December 21.$ 8.2 right. In response to the protest, the expert team from Chengdu Linan conducted the first case analysis.

# 1. Overview

On the evening of December 21, 2021, the CEO of Visor Finance Twiiter announced a report of a violation of the vVISR agreement and that the strike had started before announcing.

After careful scrutiny by the Chengdu Lian'an team of experts, the protester used the unscrupulous part of the Visor Finance project to create a 200 million token business investment in the Visor Finance loan deal (0xc9f27a50f82571c1c8423a42970613b5g2, certified ). . eh. Subsequently, 8,812,958 VISR were canceled on the loan contract using the loan certificate.

# 2 Special Tests

The counter-attacks are:

https://etherscan.io/tx/0x69272d8c84d67d1da2f6425b339192fa472898dce936f24818fda415c1c1ff3f

Resistance is estimated below.

1. Use the strike agreement

0x10c509aa9ab291c76c45414e7cdbd375e1d5ace8;

2. Call the loan contract deposit of the Visor Finance project through the contract, and indicate the number of tokens deposited with 100 million visrDeposit of the contract stop at the address of the attacker.

0x8efab89b497b887cdaa2fb08ff71e4b3827774b2;

3. In line 53, the number of shares under the loan policy is calculated at 97,624,975 vVISR.

4. Since this is a strike contract by default, the repository works if the branch is on lines 56-59 and calls special operations in the strike contract.

(1) Line 57, contact the strike contract employer, as long as the strike contract fixes the price at the stop contract address, the control on line 57 can pass.

(2) Line 58 calls the contract contract the delegate functionTransferERC20 to enter the contract contract again, and the deposit function of the greenhouse mining contract is called again without change. ;

(3) When the second run reaches line 58, the contract is not directly linked.

5. Following re-enrollment, the mortgage lender granted two loan certificates to the applicant at 97,624,975 vVISR, for a total loan portfolio of 195,249,950 vVISR.

6. Isolation

The protester made an exclusion.

(0x6eabef1bf310a1361041d97897c192581cd9870f6a39040cd24d7de2335b4546), converts 195 249 950 vVISR to 8 812 959 219 boot.

7. The protester exchanged 5,200,000 VISR for WETH via UniswapV2, and the exchange settled almost all of the ETH income in UniswapV2's ETH / VISR business partner, and the protester submitted 133 ETH to Tornado.

# 3 event review

The strike involved two negatives in the RewardHypervisor mining loan agreement on the Visor Finance project.

1. The appeal does not limit the contract concerned The attacker can call each contract and lead to the conclusion of the loan contract trong>

2. The non-return functions prevent the counter trong>

In response to these two issues, Chengdu Lianan suggested that manufacturers take two precautions:

1. When making an external call, it is recommended to add a free list to restrict the call, in particular when calling a large contract that can control the process of fulfilling the promise to apply.

2. It is recommended to use the openzeppelin ReentrancyGuard contract to prevent recovery.