Cauldron V4 Post Mortem

tl;dr There were 44 users impacted by a vulnerability discovered in our Cauldron V4 contract. No user funds or protocol funds have been lost. If you have interacted with the GLP cauldron on Arbitrum or the CRV, migrated WBTC, or yvcrvstETH cauldrons on ETH Mainnet, please visit app.abracadabra.money/#/claim to revoke approvals as tokens in your wallet could be at risk.

NOTE: The front-end is still being finalized but will be released shortly. In the interim, all funds have been secured in the claims contract for safekeeping.

Last week, we became aware of a potential vulnerability in the design of our Cauldron V4. Prompt action was taken to secure any funds potentially at risk and safeguard against any potential losses for our users. In the post below, we have detailed the steps taken to address this vulnerability and, for the 44 users who may have been impacted, we provide instructions on how to safely regain access to their funds.

Am I affected?

The vulnerability discovered affects 44 users who have previously interacted with the following cauldrons:

  • GLP on Arbitrum

  • CRV on Mainnet

  • Migrated WBTC and yvcrvstETH on Mainnet

If you have ever interacted with these cauldrons, please visit app.abracadabra.money/#/claim and follow the steps outlined in our UI. Funds that have been secured will not be receiving rewards while they are waiting to be claimed.

Vulnerability

In CauldronV4, we introduced a new feature to support the blacklisting of arbitrary addresses to be called by the call action in the `cook` function. In the process of adding this functionality, a vulnerability was introduced within the `init` function which was susceptible to re-entrancy attack. The attack worked as follows.

The attacker can deploy a clone of the CauldronV4 master contract with a malicious Oracle. The `init` function which calls `get` on the Oracle can then re-enter the Cauldron calling the `cook` call action before the default contract blacklisting happens.

In this way, the attacker can withdraw any tokens inside a user’s wallet that were approved for DegenBox when the user also approved the CauldronV4 MasterContract using DegenBox setMasterContractApproval. This approval happens in the form of an explicit typed signature when a user interacts with a cauldron for the first time.

A new version of the Cauldron will be released where the blacklisting will happen before calling the oracle, adhering to the checks/effects/interaction pattern.

All collateral that was inside the affected cauldrons are safe and not at risk. Going forward, we will ask users to approve the master contract at the beginning of their interaction and rescind the approval at the end of the interactions such that once the interaction is over, no user funds will be at risk.

If you have interacted with these cauldrons before, please do not transfer any new tokens into your wallet until you have followed the instructions on app.abracadabra.money/#/claim.

Mitigation

Due to the design of the cauldron contract, it was not feasible to issue a simple contract update to mitigate risk to user funds. After consulting with other security experts, a decision was made to execute a whitehat attack on all vulnerable funds residing in affected users’ wallets and make them available for claim. During the claims process, users will revoke master contract approval, eliminating all future possibility of exploitation associated with this vulnerability.

The whitehat hack has already been successfully executed (Arbi Tx, ETH Tx) and all affected funds have been secured by a claims contract which can be found at (Arbi contract, ETH contract).

Note that through this action, no funds have been lost, so affected users will be able to claim the exact amounts of tokens that were secured by the mitigation process.

Conclusion

In light of the successful resolution of the vulnerability, we are proactively reaching out to the 44 affected addresses to inform them of the whitehat mitigation process. The user interface for claiming secured funds will be made available and will remain open until all affected addresses have had the opportunity to claim their funds.

We would like to extend our thanks to the whitehat hacker who brought the vulnerability to our attention, and we are grateful that our security measures have prevented the loss of user funds. Furthermore, we’d like to thank all those who helped us implement a solution for the vulnerability in question.

Abracadabra is committed to maintaining the highest level of security within the industry and will continue to do so. We are currently working on a new version of Cauldron V4, which will undergo thorough security evaluations before its release. We appreciate your continued support and encourage you to stay informed for updates on the launch of the new version.

Should you have any inquiries or concerns, please do not hesitate to reach out to us via our Discord server, where our DAO moderators and contributors will be available to assist you!

Subscribe to Abracadabra Money
Receive the latest updates directly to your inbox.
Mint this entry as an NFT to add it to your collection.
Verification
This entry has been permanently stored onchain and signed by its creator.