Full name: battleradar39

 Location: Russellville, Oklahoma, United States

 Address:

 Website: http://b3.zcubes.com/bloghome.htm

 User Description: Unlike the 29th attack that simply exploited contract vulnerabilities, this time around the hacker cleverly used the Compund financial model and created a large number of COMP tokens out of nothing.Original title: "Is there another for DeFi? The Balancer is attacked again"Written by: CertiKAfter CertiK captured the Balancer attack at 2 am on June 29, "Empty Glove Ether: Balancer Attack Analysis", at 8 pm and 11: 23 pm Beijing time on June 29, CertiK Skynet system (Skynet) checked again Two Balancer DeFi contracts with similar maxims were abnormal. Both abnormalities occurred in block number 10360609 and block number 10361515. Distinctive from the attack on the 29th that simply exploited contract vulnerabilities, now the hacker cleverly used the Compund financial model, and created numerous COMP tokens out of nothing. The star DeFi project was attacked 3 times in one day, making supporters concern yourself with the future of the whole DeFi market.Event Overview On June 29, following the attacker borrowed tokens from the dYdX flash loan and minted them, obtained cWBTC and cBAT tokens through uniswap flash loan, after which traded the borrowed tokens in a large amount in the Balancer token pool. Trigger the airdrop mechanism of the Compound protocol to get the airdropped COMP tokens, after which utilize the vulnerable gulp() function of Balancer to update the amount of token pools, then remove all tokens and get back the flash loan. The attacker is the same as exploiting the compound protocol's financial model, lightning loan and Balancer code vulnerabilities, and has COMP out of nothing, and the total profit is approximately 11. 5ETH.CertiK analysis: psychological profile of the attackerThe two attacks at 8 pm and 11 pm on June 29th used the same technique and used the exact same payment address, that was confirmed as a team. Even though these two attacks and the 2AM attack on the 29th both used the gulp() of the Balancer contract, the attack methods were different. The latter two attacks used the vulnerabilities of Compound's financial model as opposed to pure code vulnerabilities. In addition , the profits of the last two attacks are much smaller than the profits of the very first attack, and the hacker who completed the initial attack doesn't have reasonable motivation.CertiK judged that the last two attacks were imitation attacks using similar principles 14 hours following the first attack.New DeFi Security ChallengeThis attack mainly used vulnerabilities in the design of the financial model, in place of vulnerabilities at the code level. This new attack mode bred by the DeFi market makes the only real "code audit" service of all blockchain security companies useless.Old-fashioned security technologies that only give attention to the code level and can not analyze the abstract model can not deal with the newest challenges brought by DeFi at all. And DeFi without model-level protection can only be reduced to an ATM that is acquainted with DeFi financial model hackers.Does DeFi security warning do more harm than good? This imitation attack has caused many individuals to question the blockchain security company: Will the analysis articles of the security company teach more individuals how to attack? Why have various safety warnings perhaps not improved the safety environment? Do we absolutely need security warnings?Go and Check is that not just safety warnings are essential, but in addition faster and deeper!Unlike old-fashioned software systems, all transactions and all contract calls on the blockchain are open and transparent. Following the attack, the transaction records on the blockchain will be the most straightforward textbook for hackers. Blockchain security organizations must issue early warnings before imitation attacks to guard related businesses. Nevertheless , the recent frequent attacks prove once more that security early warning is not even close to enough, and can't of necessity change the existing security status of DeFi as well as the complete blockchain.Is there still a chance for DeFi security?In order to necessarily change the security status quo of DeFi, we ought to introduce new security mechanisms for new smart contracts (such as DeFi, IoT).This security mechanism must certanly be able to perform model-level analysis, and should be able to adjust to the development of new types of contracts, and attempt to intercept it during an attack, in place of warning after an attack. The CertiK team has been day time and night to develop a brand new secure DeFi mechanism based on CertiK Chain-CeDeFi (Certified DeFi)-that may be trusted DeFi, that may completely change the current passive security status quo later on.Just take the attack on Balancer at 11 PM for instance:Step one: Borrow three tokens of WETH, DAI and USDC through lightning loan from dYdX, the amounts are 103067. 20640667767, 5410318. 972365872 and 5737595. 813492 respectively.2: Utilize the tokens obtained in Step 1 to mint the three tokens (cETH, cDAI and cUSDC).3: Use uniswap to borrow (borrow) and mint (mint) cWBTC and cBAT tokens through flash loans.Step 4: Bring the obtained cWBTC and cBAT to the token pool. At this time, the amount of cWBTC and cBAT owned by the attacker are 4955. 85562685 and 55144155. 96523628, respectively.Step five: Use cWBTC and cBAT to conduct a large number of transactions in the token pool respectively, thereby triggering the Airdrop operation to distribute the unattributed COMP to the token pool.Step 6: Call the gulp() function to synchronize the present number of COMP to the Balancer smart contract, and sign up for cWBTC, cBAT, and the additional COMP put into the token pool. When exiting Click to Read More , the amount of cWBTC and cBAT owned by the attacker can be 4955. 85562685 and 55144155. 96523628. However , due to the additional COMP generated with a large number of transactions in the token pool, the attacker obtained additional COMP tokens. Here, the attacker can also choose to directly enter other token pools, reuse the attack practices from step one to step 6, and get additional COMP tokens.Step 7: Repay the flash loans of uniswap and dYdX and leave the market.Step 8: The attacker can still utilize the same method (step 1 to step 7) to launch attacks on other token pools. The attack mechanism is comparable, however the kinds of tokens borrowed through flash loans and used to attack are slightly different.Reference link:news:Chinese News:Original analysis:Attack transaction history at 8 pm on the 29th:Attack transaction history at 11 pm on the 29th: