The Shezmu protocol was hacked on September 20, 2024, in two isolated incidents involving shezUSD and shezETH at 07:21:59 PM UTC and 10:55:47 UTC. Two different exploiter addresses collectively stole 509.34 ETH and 9447 DAI worth nearly $1.25 million during the time of the exploit. Shezmu is an Ethereum lending platform where users can borrow against their NFTs and yield-bearing assets (vaults). First, users deposit the collateral asset into a qualifying vault contract and receive shares. Later, the vault shares are used to borrow shezUSD (or shezETH). The vulnerability lies in the collateral contract (0x6412…924), where anyone can mint the collateral out of thin air. As collateral could be minted in large quantities (infinite mint bug), it could be deposited in the ERC20 vault (0x5924…e9c) and used to borrow shezETH / shezUSD against it. Thus draining the protocol’s shezETH and shezUSD liquidity pool.
Due to the protocols' lack of immediate response, the shezETH pools were drained, as both incidents happened at more than a 3-hour interval.
ShezUSD pools were exploited for 9447 DAI and 177.377 WETH, while the shezETH suffered much larger losses of 331.977 WETH.
Post the exploit, a few hours later, on September 21, The protocol team offered a 10% bounty to the hackers. A few hours later, the project recovered nearly 419.18 WETH and 9346 DAI on September 21, 2024, at 12:49:11 AM UTC, with a 20% whitehat bounty.
There are no clear insights into how the vulnerability was introduced, as the contract code is not verified publicly. The unverified nature of the contract raises concerns about the contract's credibility.
The vulnerable ERC20 collateral contract was deployed to mainnet Ethereum on September 3, 2024, at 12:40:35 AM UTC (3 weeks before the exploit) by 0xb18….7f0a. The vulnerable contract with the infinite mint bug allowed the minting of collateral in large amounts that can be deposited to the ERC20 vaults for borrowing shezETH / shezUSD. It is unclear how the mint function works in the collateral contract, but it does not have necessary access controls and allows anyone to mint the collateral that can be used to borrow shezETH.
Attacker 1: 0xfAf2…..4331
The attacker has a long history with his wallet. It wasn’t a usual reusable wallet funded by tornado cash. The wallet was funded for the first time nearly 329 days ago, and those funds were re-used to exploit the contract. It also has incoming transactions from the Binance exchange. The exploiter deployed the helper contract (0xb74….646a) on Sep-20-2024 07:21:59 PM UTC. Post-deployment, the first exploit happened 9 minutes later on Sep-20-2024 07:30:59, where the exploiter minted 700,000 collateral tokens (0x641….7924), which was then added to the ERC20 vault (0x75a….e478) using the addCollateral function. After adding collateral, the borrow function is invoked to borrow 693,000 shezUSD against the 700,000 collateral posted.
Five minutes later, on Sep-20-2024, at 07:35:47 PM UTC, the hacked 500,000 shezUSD tokens were swapped to 134.63 WETH on the curve. Three minutes later, at 07:38:23 PM UTC, 10,000 shezUSD was swapped to 9,446.53 DAI using a balancer.
A few minutes later, on Sep-20-2024, at 07:39:47 PM UTC, the remaining 183,000 shezUSD was swapped to 42.74 WETH on the curve.
After swapping, the exploiter minted a total of 1,386,000 shezUSD again in two separate transactions on Sep-20-2024, 07:44:59 PM UTC, and Sep-20-2024, 07:55:35 PM UTC.
But these tokens were never swapped / moved out of the exploiter wallet.
Attacker 2: 0x089…..c869
Nearly three hours after the initial exploit involving the shezUSD token, a subsequent exploit happened on the shezETH token, where the same vulnerability was exploited, resulting in further damage to the protocol.
This wallet was funded for the first time nearly 577 days ago, and those funds were re-used to exploit the contract. The wallet has connections to the Hotbit exchange and Curta CTF.
The helper contract was deployed and the exploit happened simultaneously on Sep-20-2024 10:55:47 PM UTC. Possibly the exploitable calldata might be passed on to the constructor. Looking into the internal calls, it can be noticed that the exploit followed the same pattern as the first exploiter where, firstly, a large number of collateral ERC20 tokens were minted, exploiting the infinite mint bug in the collateral contract.
Post minting, the addCollateral method on the ERC20Vault contract is called to deposit the newly deposited collateral into the vault contract. After adding collateral, the borrow function of the same contract is called to borrow 9900 shezETH against the previously deposited collateral minted out of thin air.
Now, the exploiter dumped the 9900 shezETH for 331.978 WETH on curve.
The two exploiters' funding mechanisms are through KYC exchanges.
Attacker 1: 0xfAf2…..4331
This wallet was the primary receiver of the exploited shezUSD tokens. However, the transactions were funded by 0x13A99ECCF9F4f1727a6218754b6667aA5113c731, funded nine days ago by the same attacker wallet and initially funded by Binance through withdrawal.
Post exploit, the funds were swapped to WETH, and DAI was held in the attacker's wallet and was negotiated for a whitehat bounty. The project initially offered a 10% whitehat bounty. Post-negotiation, they settled for a 20% bounty, and the exploited funds were returned to the Shezmu treasury address in multiple transactions.
Attacker 2: 0x089…..c869
This wallet was initially funded by the Hotbit exchange approximately 577 days before the exploit. The same funds were used to conduct the exploit. The exploited funds (shezETH swapped to WETH) were never moved out of this wallet and were also returned to the project treasury after a 15% bounty. However, there were no white hate negotiations to this specific address, indicating the possibility of the same hacker.
There were two isolated incidents, with a 3-hour gap between them. The issue was first reported on Twitter by a user, Chaofan Shou, on September 21, 8:34:00 UTC, almost an hour after the exploit.
Twenty minutes later, the team confirmed to their users about the exploit on September 21 at 08:54:00 UTC. However, for the next two hours, no containment measures were in place, leading to the next exploit two hours later.
Consider adding on-chain monitoring & alerts to monitor all critical invariants.
The project should monitor all large deposits of collateral and actively should’ve monitored them.
Monitor the token price impact. The token got dumped at 7:21:00 UTC, but the project was not aware of the incident for a long time.
Consider building an emergency pause toolkit or mechanism. The project was not able to pause operations in a timely manner.
Consider auditing the contract. The deployed contract looks unaudited and unverified. Unverified contracts are more susceptible to hacks and are not immune to hacks.
Consider running a bug bounty program. The project has no whitehat bounty programs.
This is a detailed event log of all on- and off-chain actions by exploiters, incident responders, ecosystem, social media (where relevant to the incident), etc. All times are in UTC.
2024-09-20 19:18:59 - 0xfAf….4331 (Attacker) funded 0.1 ETH to 0x13A…c731 (Attack Helper)
2024-09-20 19:21:59 - 0x13A…c731(Attack Helper) deployed 0xb74….646a (Helper Contract)2024-09-20 19:30:59 - 0x13A…c731(Attack Helper) sends first exploit using 0xb74….646a (Helper Contract) and mints 693,000 shezUSD to 0xfAf….4331(Attacker) [tx]
2024-09-20 19:35:47 - 0xfAf….4331(Attacker) swaps 500,000 shezUSD to 134.637 WETH [tx]2024-09-20 19:38:23 0xfAf….4331(Attacker) swaps 10,000 shezUSD to 9446.5 DAI [tx]2024-09-20 19:39:47 0xfAf….4331(Attacker) swaps 183,000 shezUSD to 42.74 WETH [tx]
2024-09-20 20:31:00 Chaofan Shou first announced the hack on X [link]
2024-09-20 20:55:00 Shezmu announced the hack on X [link]
2024-09-20 22:23:35 Shezmu reached out to 0xfAf….4331 (Attacker) with 10% bounty [tx]
2024-09-20 22:27:00 Shezmu announced the 10% bounty on X [link]
2024-09-20 22:55:47 0x089….c869 (Attacker 2) exploits shezETH using 0x5f0…4d70 (Attacker 2 Helper) and minted 9900 shezETH and swapped it to 331.977 WETH [tx]
2024-09-21 00:49:11 0x089….c869 (Attacker 2) transfers 282.18 WETH to 0xfAf….4331 (Attacker) [tx]
2024-09-21 02:15:47 0xfAf….4331 (Attacker) negotiates for 20% bounty with Shezmu [tx]
2024-09-21 02:20:59 Shezmu accepted 20% bounty and shared treasury address [tx]
2024-09-21 03:06:23 0xfAf….4331 (Attacker) transfers 9341.57 DAI to treasury [tx]
2024-09-21 03:22:47 0xfAf….4331 (Attacker) transfers 137 WETH to treasury [tx]
Attacker Addresses:
Attacker 1: 0xfAf2…..4331
Attacker 2: 0x089…..c869
P.S. No exchange deposits/fund mixing detected.