Lend Exploit Post-Mortem

0xC938
March 7th, 2022

Summary

​​​Around 12:46 UTC on March 5th, 2022, a contract on the Ethereum mainnet exploited a previously unknown reentrancy in the bHOME Pan Lend method. The BaconCoin team was alerted, found the issue, and patched the contract within three hours of the initial exploit. The BaconCoin team quickly re-audited the contract and is also working with new, outside auditors to thoroughly verify the contracts.

​​​​Because most of the value of bHOME is held in the value of real-world homes and loans, only a small percentage of the total value was at risk. The funds at risk were only the amount held back in the Pan by the AMM for liquidity to bHOME holders. The loans, homes, and borrowers that maintain the core of bHOME’s value were naturally not affected by this event. This event showed the power of bHOME to bring real-world stability to crypto even in the face of a smart contract exploit.

​​​​The exploit contract convinced the Pan into sending 957,166 USDC out of the protocol. A second exploit was prevented by a white hat group who returned the 34,232 USDC they received. These changes caused the price of bHOME to temporarily unpeg and decrease to $0.86.

​​​​As of March 6th, the BaconCoin team has deposited 991,441 USDC into the BaconCoin multi-sig at

that will be used to recapitalize the protocol. The protocol will be controlled manually by the BaconCoin team for a short time while the event is further investigated and any necessary contract changes are found and made.

​​​To reduce the risk of loss of value in the future, changes will be proposed to simplify the protocol and reduce the amount of value held directly in the smart contracts. BaconCoin team has always felt that relying on battle tested systems already in the ecosystem to keep the BaconCoin-specific footprint as small and simple as possible is the best way to reduce smart contract risk.

Actions to prevent this from happening e​​ver again

  • ​​Complete new audits with a new smart contract auditor and fix any issues quickly.

  • ​​Open source the contract code to get extra inspection from the security community.

  • ​​Create a new bug bounty program to create incentive for community devs to report major issues.

  • ​​The community has started a proposal for the BaconCoin DAO to partner with a smart contract insurer.

  • ​​Convert bHOME and BACON to pure ERC-20s from ERC-777.

  • ​​Change the protocol to not hold as much USDC in the Pan and hold higher percentage of value off-chain in real-world homes.

  • ​​Make bHOME a pure stable coin and use existing exchanges (DEX and CEX) to handle USDC/bHOME transactions. bHOME returns would be received by staking and claiming.

  • ​​Publish a detailed roadmap with more specifics about the changes and their timeline.​

Exploit Description​

​​​On Mar 5th, 2022 at 12:46 PM UTC in transaction 0x7d22…cf31, a newly deployed contract exploited the bHOME Pan's Lend & Redeem functions.

​​​​The immediate cause of the exploit was the Lend function issuing bHOME tokens before properly recalculating and setting the poolLent variable which tracks the amount of money in the Pan. See on line 3 of the function that poolLent is updated after the bHOME tokens are minted and sent to the receiver. poolLent contains the TVL of the contract and is used to calculate the price of bHOME that is used during deposit and withdraw operations.

Incorrect Lend Function
Incorrect Lend Function

The exploit contract used a 6,360,000 USDC flash loan to make three equal Lend calls of 2,120,000 each. As soon as one Lend call had minted bHOME to the attacker, another Lend was sent before the poolLent variable was updated. This effected the bHOME price calculation on the following Lend calls.

​​​Because the price was calculated as the value of the pool divided by the total supply of bHOME, by calling Lend after the total supply counter had increased but before the value of the pool had, the exploit contract was able to mint a disproportionate number of bHOME tokens. Before the correct bHOME price was resolved, the contract redeemed those bHOME for more USDC than it deposited.

​​​​The team quickly went to work and deployed a hotfix to the bHOME contract to update poolLent before minting the new bHOME and updating the total supply. See the updated function here.

Patched Lend function
Patched Lend function

​​​The issue with the contract was identified, patched, and thoroughly tested within a few hours of the initial exploit transaction. The team is confident that this issue is no longer exploitable and the contract and protocol are stable and secured.​​

Timeline​

​​​March 5, 2022

  • ​​12:46 PM UTC - Transaction 0x7d22…cf31 executed on mainnet and exploited the reentrancy. 
  • ​​12:56 PM UTC - BaconCoin team first alerted to the issue.
  • ​​1:00 PM UTC - BlockSec identified the exploit and notified Etherscan and others to blacklist the exploit wallet. See https://twitter.com/BlockSecTeam/status/1500093929760632837.
  • ​​4:33 PM UTC - A second exploit was attempted and preempted by BlockSec’s automated system. See transaction  0xc161....739c which failed because it was preempted by 0xf3bd....bbd1.
  • ​​4:46 PM UTC - A patch for the issue was deployed to the bHOME contract in transaction 0x1fed….f26a.
  • ​​8:00 PM UTC - BaconCoin team completed quick reaudit of contracts for other reentrancy issues.

​​March 6, 2022

  • ​​Ongoing review, audit, and securing of the contracts with help of outside security and audit teams.

​​March 7, 2022

  • ​​2:00 AM UTC - BaconCoin team placed 991,398 USDC into a multisig to be used to recapitalize the protocol.

​​Week of March 7th

  • ​​BaconCoin team to continue to review the protocol, recapitalize the contracts, and communicate a roadmap for preventative actions clearly to community.​​

​Causes

  • ​​Reentrancy issue in the Lend method in the bHOME Pan contract.

  • ​​Use of the ERC-777 standard which calls tokenReceived on untrusted contracts.

  • ​​The BaconCoin team did not find the reentrancy issue during development, testing, and review.

  • ​​Failure of the BlockHunter auditors to find the reentrancy issue during two audits.

  • ​​Holding excess USDC in the Pan smart contract.

  • ​​Lack of incentive for exploiters to notify the developers or community.

Conclusion​

​​​While it is always concerning to have had a contract exploited, this event showed the power of holding the protocol’s value in real-world homes. A small percentage of the TVL was at risk and able to be exploited.

​​​​The BaconCoin team worked quickly to secure the contract within hours. Some of the funds have been recovered and the rest are still being sought. In the meantime, the BaconCoin team has deposited the full amount of lost funds in a multi-sig to be used to recapitalize the protocol.

In order to make sure this kind of event never happens again, we are planning changes to simplify the protocol, improve the contract security, reexamine the development process, and involved the community in protecting the protocol. A detailed roadmap will be published in the next few days after careful review.

​​

Arweave TX
YC7iB7BB6c4n0r8P2SDyqg7PYP7UvlDEvGLXJMesKic
Ethereum Address
0xC9380Eb3bA8a6D02DB426119942A25EEaD8A12E6
Content Digest
LHaPiX38mnx8eJ2RVKNXHttHfweQMKNGmEnX4KUksk0