Explained: The DeFi Protocol Pickle Finance Hack (Nov 2020)

The recent Pickle hack was caused by several design issues within the Pickle contract.  By combining these design flaws, the attacker was able to steal over 19 million cDAI from the DeFi protocol.

Pickle Jars are designed to store tokens, and have a particular type of token that they “want.”  However, in the course of normal business, these Jars can end up containing different types of tokens than their targets.

To help with this, Pickle’s Controller includes a function called swapExactJarForJar as shown above that enables token swaps between jars.  This functionality helps both Jars since they can each eliminate unwanted tokens and build their supply of their target token.

The problem with this function is that it doesn’t check the validity of the Jars presented to it.  The attacker used this function for two stages of their cyberattack.

StrategyCmpDAIV2 -> pDAI

This call to the function doesn’t remove any value from Pickle’s Jars.  Its goal is simply to move the value from the original Jar to the pDAI jar.

After performing this step, the attacker calls the pDAI.earn function three times.  This has the effect of placing over 19 million cDAI within the pDAI jar, setting it up for the next stages of the attack.

EvilJar -> EvilJar

The second call to swapExactJarForJar isn’t intended to transfer any value at all.  It uses a fake, attacker-controlled Jar as the source and destination of the swap.  Additionally, it sets a swap value of zero.

The goal of this second call is to set a vulnerable CurveProxyLogic function as one of the targets.  When the swap is executed, this function is called with attacker-controlled data.

Exploitation of the previous issue only allows an attacker to place value in the Controller contract, not to extract it.  However, a vulnerability in a CurveProxyLogic function enables the attacker to inject a call to Uniswap or CurveProxyLogic contracts.

The vulnerability is in the add_liquidity function shown above.  Towards the end of this function, a call is made to callData, which is built from user-controlled values.  This makes it possible to build a call to a function with zero or one arguments as follows:

• Create a smart contract with a malicious version of the balanceOf function that returns the address of that smart contract.
• Pass this smart contract to the add_liquidity function as address.
• Set curveFunctionSig to the signature value of a CurveProxyLogic function.
• Set curve to the address of the pDAI Jar’s Strategy contract.

The last two instructions of the add_liquidity function will build and execute the desired function call.  In the case of the November 2020 hack, this results in a call to the withdraw function in the pDAI Strategy that sends all “dust” within the Controller contract to the attacker’s contract.

The ability to call withdraw is not enough for this attack.  The withdraw function is configured not to allow the deposit token of the Jar to be extracted in this way.  The only type of token that can be extracted is “dust” or trace amount of other tokens that end up in the contract.

However, the pDAI Jar’s Strategy contract can hold cDAI, which it considers dust.  The Pickle attacker sent over 19 million cDAI to this contract using the swapExactJarForJar function, which they then extracted using the injected call to withdraw.  This results in the Controller holding the cDAI, which the attacker can then withdraw with a call to a malicious deposit function in the EvilJar.

After the Pickle hack was detected, the Pickle team and a group of cybersecurity experts worked to mitigate its impacts and close the vulnerability exploited by the attacker.  Ideally, this will protect Pickle against future attacks.

Since the attack, Pickle has announced a merger with Yearn Finance, which has also merged with a number of other DeFi projects.  While this may help to improve the functionality and security of these projects, this is far from guaranteed.  Of the six projects that have merged so far, three have been hacked already:

1. Yearn Finance lost $15 million in September 2020, when the unreleased project was hacked.
2. Akropolis was hacked in November 2020 for over $2 million in stablecoins
3. Pickle’s November hack for over $19 million in cDAI

Additionally, SushiSwap suffered from bad press due to an alleged exit scam by its creator Chef Nomi in early September.  Only Cover and Cream are currently in good standing.

A primary driver behind DeFi’s security issues is the mentality of “test in production,” which is openly espoused by Yearn’s Andre Cronje.  Until comprehensive security testing is part of the DeFi development process, these high-profile and high-value blockchain company hacks will only continue.