Introduction

On November 7（UTC/GMT+08:00） Knownsec Blockchain Lab detected an attack on the cross-chain bridge by Synapse Protocol, which managed to lower the nUSD Metapool virtual price and make a profit of approximately $8 million.

Knownsec Blockchain Lab made in-depth tracking and analysis of this event for the first time.

Analysis

The problem with the attack, as shown below, was not the Synapse bridge itself, but the Metapool contract developed in the Saddle.

Before we get into the details of the attack, let’s take a look at what Metapool is.

The stable swap implementation developed by Curve includes two types of pools, namely Standard Stableswap pools and Metapools.

Standard Stableswap pools: Includes multiple base assets (assets A, B, and C) that are priced against each other in A small range.
Metapools: The same Stableswap invariants are realized, but when asset D is priced with LP tokens of assets A, B, and C, the ideal balance weight of the pool becomes 50% of asset D and 16.66% of assets A, B, and C respectively, which not only isolates the risk of asset D, It also allows base pools to be used for additional Metapools, which, while nice, can be more complex to implement.

Basic information

The attacker:

0x3ab92d06f5f2a33d8f45f836607f8da68cab81e8

Attack the tx:

0xe2f66358873553990911c15d2bbe8ffea72ddba86dfa64e32cde7ae998f09f350x415d4ad8c6237b6d110fc0ea66f0d1b4a3f13ac196ac5b708b03 7c07c83d69f2

Loophole Contract:

https://github.com/saddle-finance/saddle-contract/blob/master/contracts/meta/MetaSwapUtils.so

Process

The attacker calls swap() and removeLiquidityOneToken() functions on Metaswap. sol through Firebird Router to exchange nUSD into NUSD-LP token. Then remove NUSD-LP to obtain the USDC.

2. The attacker uses USDC to addliquidity in exchange for nUSD-LP through the addliquidity() function in the MetaswapDeposit contract.

3. The attacker uses the removeLiquidityOneToken() function in the MetaswapDeposit contract to remove liquidity and exchange it for nUSD with nUSD-LP, and then circulates in turn to continue arbitrage.

Details

In Metapool, the user can directly exchange asset D for A, B, or C, but before exchanging it for LP tokens of A, B, or C, the Saddle Metaswap contract ignores the check to calculate the LP token basic virtual price. See line 424 of the Metaswap contract for details.

Since increasing liquidity and removing a token from the pool are essentially the same as exchanging, this corresponds to line 277 of the MetaSwapUtils contract. Line 276 of the code determines whether the token is an LP token and calculates the basic virtual price of the LP token upon checking that it is an LP token being exchanged.

As a result of the inspection to ignore allows the attacker to 0 x3ab92d06f5f2a33d8f45f836607f8da68cab81e8 trading continuously circulation, attack process mentioned above is the last time circulation transactions, making nUSD — LP tokens to increase in the number, Reduced Metapool virtual price and removed more nUSD tokens from nUSD-LP.

After the incident, the official updated the progress of the attack on the bridge. As the official was always online and responded quickly, without giving the hackers an opportunity to transfer funds across the chain, the official would not process the transactions of the hackers, and the Synapse nUSD lost would be fully returned to the affected liquidity providers.

As of now, the Synapse Protocol network has resumed normal activities and cleared the backlog of transactions. In response to this incident, Stableswap contract was replaced by the Metapool contract as the new nUSD capital pool to ensure security. Unaffected liquidity providers will need to unwind their mortgages and withdraw liquidity from the old pools to facilitate subsequent operations.

Summary