Impossible Finance exploit root cause analysis
At around 4:40 AM UTC on Jun 21, $0.5M (229.84 ETH) was stolen from Impossible Finance.
Using a vulnerability in the LP contract, the hacker managed to swap IF into BUSD at about the price 2 times in a row, which is usually “Impossible” because of the slippage.
As a result, the hacker has taken out about half a million worth of ETH with Anyswap.
Check out the Transaction Details on BscScan.
- Borrow 233.3 BNB of flash loan from PancakeSwap.
- Swapped 65,140 IF token.
- Created a FAKE token called AAA (BBB).
- Created LP with the FAKE token and IF.
- Swapped 32,570 IF into 221,898 BUSD and another 32,570 IF into 221,898 BUSD using IF router thru the FAKE token LP.
- Repeated the steps from 3 to 5.
- Sold 556,384 BUSD for 1,731 BNB, repaid the flash loan.
The Root Cause
How does Impossible Finance make the impossible possible?
At step 5, the FAKE token got a special design that will call the swap() function of the LP contract, while the router calls the cheapSwap() function.
The swap() call triggered by the transferFrom() of the FAKE token happened before the cheapSwap() call, which will update the price. So that the two swaps can be made at about the same price.
The original Uniswap LP contract includes an important check that enforces x*y=k. It’s missing in the cheapSwap() function.
With the K check missing, the impossible is now possible.
WatchPug is a smart contract security team with the goal of elevating the security, privacy, and usability of the current DeFi ecosystem. For the need for smart contract auditing, please contact us at Twitter or Telegram.