First release | DeFi project Based smart contract has a loophole, what happened?

"It's never too late to fix it" is a saying that holds true most of the time in life. However, in the face of network security, a breach may cause irreparable losses.

To be discovered before security issues cause irreparable losses, or to be fully prepared from the very beginning, is the first priority of security as a blockchain practitioner.

On the afternoon of August 14th, Beijing time, the CertiK security technology team found that the DeFi anonymous farming project Based officially announced that an attacker had frozen Pool 1 by calling a function in the Based smart contract, and announced that it would redeploy its Pool One.

LBANK Blue Shell launched DORA at 18:00 on March 22, and opened USDT trading: According to the official announcement, at 18:00 on March 22, LBANK Blue Shell launched DORA (Dora Factory), opened USDT trading, and is now open for recharge.

According to the data, Dora Factory is a Polkadot-based DAO-as-a-service infrastructure, an open and programmable on-chain governance protocol platform based on Substrate, and provides quadratic voting, curve auctions, and Bounty for a new generation of decentralized organizations and developers. Pluggable governance functions such as incentives and cross-chain asset management. At the same time, developers can submit new governance modules to this DAO-as-a-service platform and receive continuous incentives. [2021/3/22 19:07:06]

The official tweet stated that hackers tried to freeze "Pool1" permanently, but the attempt failed. And "Pool1" will continue as planned.

First release | Baidu’s financial report reflects that the blockchain BaaS platform has become a new strategic focus: Jinse Finance reported that on February 28, 2020, Baidu (stock code BAIDU) announced its financial report, which separately described the progress related to the blockchain BaaS platform. The blockchain platform based on Baidu Smart Cloud is expected to become a new growth engine in the direction of technological innovation. In terms of AI services, Baidu has reached a cooperation with Shanghai Pudong Development Bank to jointly build a blockchain alliance and realize cross-bank information verification on the Baidu Blockchain Service (BaaS) platform. [2020/2/28]

By analyzing the smart contract, CertiK believes that the freezing of the No. 1 pool of the Based project was an accident caused by a smart contract loophole.

News | Credible Educational Digital Identity Launched in Baiyun District, Guangzhou Using blockchain and other technologies: On December 25, the launch ceremony and application seminar of the Trusted Educational Digital Identity (Education Card) Guangdong Province application pilot was held in Baiyun District, Guangzhou.

According to reports, the credible education digital identity integration adopts core technologies such as domestic encryption and blockchain, and innovatively issues integrated digital identities under the network environment of "cloud computing, edge computing, and mobile computing", realizes integrated key management, and builds " Trusted Educational Identity Chain". (China News Network) [2019/12/25]

The Based team deployed the No. 1 pool smart contract, and the deployment address is 0x77caF750cC58C148D47fD52DdDe43575AA179d1f.

Based officially declares the owner of the smart contract by calling the renounceOwnership function in the smart contract, but does not initialize the smart contract.

First Release | Liu Yao: Baidu Blockchain launched the Tianlian platform to empower on-chain business: On December 20, the "2019 China Blockchain Developers Conference" hosted by CSDN was held in Beijing on December 20. Liu Yao, head of Baidu Smart Cloud blockchain products, gave a speech on the theme of "Enterprise Blockchain Empowers Industrial Innovation Landing". He pointed out that 2020 will be the first year for blockchain enterprises to land. With the implementation of the blockchain industry, Baidu has upgraded the blockchain to a platform-based strategy, and launched the Tianlian platform relying on Baidu Smart Cloud, which is to empower 360's on-chain business innovation. [2019/12/20]

Because the initialize function in the Based smart contract is wrongly set to be called externally, during the process of initializing the smart contract, the smart contract of the No. 1 pool is initialized by an external attacker with a wrong value.

The wrong initialization made Based official unable to re-initialize the smart contract of the No. 1 pool, so the No. 1 pool was frozen, and any pledge could not be completed.

Based officially decided to abandon the smart contract and redeploy the No. 1 pool smart contract.  

1. After deploying the smart contract, the Based team did not call the initialize function in the following figure in time to initialize the settings of the smart contract:

2. The external caller took advantage of the time difference between the deployment and initialization of the smart contract by the Based team, and took the opportunity to call the initialize function in line 671 in the figure below whose call range was incorrectly set to initialize the smart contract of the No. 1 pool first:

3. The two initialize functions in the above figure are modified by the modifier of the initializer. According to the code, if one of the initialize functions is called, the other initialize function cannot be called. The initializer modifier code is shown in the figure below, which caused the official Base to lose the opportunity to initialize the function:

4. Based on the above factors, the Based smart contract cannot be officially initialized correctly, so any pledge cannot be performed.

Transaction record of pledge failure:

The incident was essentially caused by a vulnerability in the smart contract, but if the Based team noticed this vulnerability early and initialized the smart contract in advance, the danger could be completely avoided and the No. 1 pool would be frozen. Therefore, the CertiK security technology team makes the following recommendations:

When deploying smart contracts, tools such as command scripts needed to initialize smart contracts should be prepared, and smart contracts should be initialized in a timely manner to prevent attackers from preemptively initializing or maliciously manipulating smart contracts by taking advantage of the time difference between deployment operations and initialization operations.

Developers should be proficient in the operating principles and technical details of smart contracts, and should not blindly adopt other smart contract codes.

A professional third-party security team or internal security experts can be invited to audit its smart contract to ensure the security and reliability of the smart contract.

Tags：

Tron