August 19th, 2022
On August 16 at approximately 9:30 AM EST, a vulnerability in Stader’s NearX smart contract was exploited. The Stader team along with Halborn quickly contained the exploit, protecting most funds.
The loss was estimated at ~165k NEAR and was limited to the Dex’s. The ~2.5Mn $NEAR staked on the Stader dapp remained safe with validators. Stader has demonstrated strong leadership and commitment to its users by announcing to fully reimburse users for their losses on the LPs. Please find more details here: https://twitter.com/stader__near/status/1559992693471604736
The technical nuances that led to the exploit are as follows:
When reading from storage, NEAR creates a snapshot that is loaded to runtime memory. When NEAR attempts to load the same variable into runtime memory it creates a copy. Stader’s smart contract was written with the assumption that the runtime variable would always point to the same object in memory (not a copy).
Because of this, when a token transfer was executed with sender and receiver being the same user, it resulted in two variables corresponding to the balances. Both were associated with the sender, however, one’s balance was reduced and the other’s was increased. Then both variables were saved to the storage; however, the increased balance was saved last, overwriting the previously saved decreased balance. The attacker was then able to generate tokens out of thin air.
Here is the full incident report from Stader Labs.
This was one of the rare occurrences where we worked with a memory storage assumption, and discovered otherwise during the post-mortem and the fix. As soon as the attack was discovered, Halborn and Stader worked together to identify the root cause, halt the contract, and deploy a fix. We have audited this fix and are confident that this exploit cannot happen again.
As a cybersecurity firm dedicated to cutting-edge technology in the wild world of web3, we stand behind our record of quality research and capabilities. That said, security is an art and we take full responsibility for not finding this truly impressive exploit. One of Halborn’s core values is Kaizen, a Japanese concept around continual learning and improvement. NEAR is a new, exciting ecosystem and we strive to continue our research and only improve our auditing capabilities within it.
For more info on Stader Labs, visit:
Main Discord: https://discord.gg/asBqz79Hv9