@i2huer and @0xtarafans

Produced by PNM x Narya Labs

TL;DR

In late March, our whitehats i2huer (Purdue University) and 0xtarafans from Pwned No More (PNM) DAO submitted a critical vulnerability with a working PoC to Duet Protocol's bug bounty program. The attack is enabled by price oracle manipulation and allows the attacker to borrow out high-value assets with few collaterals, rendering its synthetic assets market at risk. For this finding, we were rewarded $50,000. The Duet team is highly responsive with the bugfix and also with the payout of the bounty.

Background

You may hear many DeFi security researchers and developers blame the price oracle manipulation attack, one of the most notorious hacks in cryptocurrency history. You may also wonder how popular such a hack is nowadays in 2022. Unfortunately, despite its infamousness, price oracle manipulation is still prevalent in the cryptocurrency market and, no doubt, extremely painful. For example, on March 15, 2022, Deus Finance, a DeFi protocol on Fantom was hacked with a loss of $3M, exploited via a flashloan-enabled price oracle manipulation.

To better understand the price oracle manipulation attack, we are going to start with three related concepts, automated market makers (AMM), price oracles, and flashloan.

Automated Market Maker (AMM)

AMM protocols are a series of smart contracts that allow users to swap one token for another. Without any centralized exchange center or other intermediaries, AMM protocols decide the price of a token according to a mathematical formula. In the case of PancakeSwap (the one involved in Duet's bug), the formula is a constant function:

$$ x \cdot y = k $$

$x$ and $y$ denote the amounts of token0 and token1 in the AMM, respectively. Note that, for PancakeSwap, each market, namely pool, consists of two tokens, usually referred to as token0 and token1.

Liquidity providers (LP) can deposit both token0 and token1 into a target pool, to increase the pool's liquidity. A liquidity token, namely an LP token, represents the shares of the pooled liquidity. Thus, we can think of each LP token as a share unit in the pool.

Price Oracle

Price oracles are those smart contract functions used to estimate the value of given assets. There are two types of price oracles, including on-chain and off-chain oracles. On-chain oracles are usually implemented by querying the price from AMMs, while off-chain oracles are data feeds from an off-chain decentralized network. Chainlink is known to be one of the most reliable off-chain price providers.

Flashloan

Flashloan is a new lending model allowing users to borrow a considerable amount of assets without pre-collateralization. It is enabled by the atomicity of on-chain transactions and is commonly supported by mainstream AMMs, e.g., PancakeSwap.

Specifically, PancakeSwap’s flashloan function is organized as first lending the requested amount of loan, invoking user-provided callback functions, and last checking whether the loan is repaid in the callback functions. Arbitrage can be achieved with borrowed assets in the user-provided callback functions. Note that the transaction would be reverted if the repayment was not accomplished. Since the transaction has to be atomic, AMMs would not suffer from any loss.

Vulnerability Analysis

Duet protocol (Duet) is a multi-chain synthetic asset protocol that aims to bring various assets for use in the blockchain world.