Avalanche Cauldrons Vulnerability and Post Mortem
Our team was made aware of a potential vulnerability affecting our cauldron contracts on Avalanche through our Immunefi Bug Bounty Program. Since our cauldrons contracts share a codebase with Sushi’s Kashi contracts, we have been working closely together with the Sushi dev team. We ran several tests together to confirm the vulnerability and structure a solution for both affected projects.
tl;dr At the time of writing this announcement, the collateral deposited in our Avalanche cauldrons have been fully secured, borrowing will be restarted in the next hours and no user funds have been lost. Thanks to the swift action from the Ava Labs team, this vulnerability is no longer exploitable, and our preventive measures will soon be reverted.
Below is the post-mortem of the incident, which outlines how our team handled the situation and the steps forward.
In contrast to other EVM compatible chains, Avalanche added an additional precompile contract. This precompile, available at 0x0100000000000000000000000000000000000002, allows a msg.sender to be passed through for an arbitrary contract call. This means if contract x calls the precompile P with an instruction to call contract Y, contract Y thinks it is being called by contract X, not by P. This creates an opportunity to circumvent the check against forbidden callees in the Cauldron and Kashi market smart contracts, thereby allowing the collateral and available assets that are borrowable to be accessed by arbitrary callers.
The following cauldrons were vulnerable to this attack vector:
AVAX Cauldron (0x3CFEd0439aB822530b1fFBd19536d897EF30D2a2)
wMEMO Cauldron (#1) (0x56984F04d2d04B2F63403f0EbeDD3487716bA49d)
wMEMO Cauldron (#2) (0x35fA7A723B3B39f15623Ff1Eb26D8701E7D6bB21)
xJOE Cauldron (0x3b63f81Ad1fc724E44330b4cf5b5B6e355AD964B)
AVAX/USDT.e JLP Cauldron(0x0a1e6a80E93e62Bd0D3D3BFcF4c362C40FB1cF3D)
AVAX/MIM SLP Cauldron (0xAcc6821d0F368b02d223158F8aDA4824dA9f28E3)
AVAX/MIM JLP Cauldron (0x2450Bf8e625e98e14884355205af6F97E3E68d07)
USDC.e/AVAX JLP Cauldron(0x95cCe62C3eCD9A33090bBf8a9eAC50b699B54210)
TraderJoe WAVAX/USDC Cauldron (Popsicle Finance Limone Pool)
We deployed a smart contract that allowed our team to whitehack the collateral deposited and secure it in a safe, team-controlled contract. The secured collateral could be found controlled by this address here, on the respective bentobox addresses. This is a 3/5 operational multisig controlled by Abra team members.
The tokens secured are presently valued at ~$3M dollars and includes Sushiswap LP, TraderJoe LP, JOE, wMEMO and WAVAX. At the same time, a front end update was pushed that stopped users from repaying any positions in those cauldrons, to avoid a situation where MIM were repaid, but no collateral was taken out.
The following script was used to whitehat the collateral.
The Whitehat transaction was submitted here, this press release was delayed to allow to find and inform other potentially vulnerable projects.
While informing other protocols, we have also been in contact with the Avalanche team, who has updated us about the possibility of fixing this possible exploit by acting directly on the chain. While their engineers were at work, all the collateral was safely secured by our multisig to avoid any possible exploit.
The final patch went live on September 6th, 2022 on Avalanche Mainnet, making the exploit not reproducible anymore. You can refer to this article here for more details on the patch.
As the security concern is no longer present, our team will be redepositing all the whitehacked collateral back into each of the affected cauldrons, reverting the whitehack process, in the next hours.
During this time, no position has been liquidated on the Avalanche Cauldrons, and no change in individual users position has happened. If you had a position open in these cauldrons, nothing changed for you, and you will be able to safely interact with it once the collateral is sent back. Please stay tuned on our social media for more information on the timeline, but realistically it will not take much.
As mentioned previously, this vulnerability only affected the Bentobox/Degenbox cauldrons deployed on Avalanche Mainnet and it is now no longer present thanks to the mandatory security upgrade processed by the Avalanche network. The rest of the chains have been double checked and we are confident that no other cauldrons are currently affected by this exploit.**
**
Once again, no user funds were lost. If you had a position open in any of our Avalanche cauldrons, your position is still present and you will soon be able to interact with it normally.
Lastly, we would like to thank everyone involved in this process for their professionalism and help in making sure that no user funds were lost and no protocols were severely affected!
Update: After the publication of this post mortem, we have managed to get in contact with the auditing firm that discovered the vulnerability and reported it through our bug bounty program.
We would therefore really like to thank Statemind Auditing Firm for the amazing work in discovering and reporting the vulnerability!