閃電貸攻擊導致 Base 上的 CloberDEX 損失 50 萬美元

近期，我們監測到一起針對 Base 計畫 CloberDEX 的鏈上攻擊。被攻擊項目為CluberDEX，攻擊者獲得約

Recently, an on-chain attack was detected against CloberDEX, a project on Base. The attacker gained about 133 ETH, or about 500,000 USD, through this attack.

近期，Base 項目 CloberDEX 被偵測到鏈上攻擊。攻擊者透過這次攻擊獲得了約 133 ETH，即約 50 萬美元。

The attacked project is CloberDEX, and its main functions are as follows: open a new trading pool containing trading pairs A to B and B to A, and each trading pair also contains a preset trading strategy; mint is to add liquidity to the trading pair and obtain LP Token; burn is to destroy LP Token to obtain the corresponding currency.

被攻擊項目為CloberDEX，主要功能為：開設新的交易池，其中包含交易對A到B、B到A，每個交易對還包含預設的交易策略；鑄幣是為交易對增加流動性並獲得LP Token；銷毀就是銷毀LP Token以獲得對應的貨幣。

Let's take a look at the attack process:

我們來看看攻擊過程：

First, the attacker borrowed 267 WETH from Morpho Blue using flashloan.

首先，攻擊者使用閃貸從 Morpho Blue 借了 267 WETH。

Then, the attacker used open to open two trading pairs on CloberDEX, namely Token/WETH and WETH/Token, where Token is a contract deployed by the attacker himself.

然後，攻擊者使用open在CloberDEX上開設了兩個交易對，分別是Token/WETH和WETH/Token，其中Token是攻擊者自己部署的合約。

Then, the attacker used mint to transfer 267 WETH and 267 Token to the newly opened trading pair to add liquidity and obtain LP Token.

然後，攻擊者使用mint將267 WETH和267 Token轉移到新開設的交易對中，以增加流動性並獲得LP Token。

So far, there is no problem. Finally, the attacker uses burn to destroy the LP Token just obtained. Let's take a look at the specific implementation of burn;

到目前為止，沒有問題。最後，攻擊者使用burn來銷毀剛剛獲得的LP Token。讓我們來看看burn的具體實作；

The control flow goes to the lock function. Similarly, let's take a look at the specific implementation of lock;

控制流程進入鎖定功能。同樣，我們看一下lock的具體實作；

As you can see, the lock function passes bytes caldata data to the lockAcquired function. Let's continue to look at the implementation of this function.

如您所見，lock 函數將位元組 caldata 資料傳遞給 lockAcquired 函數。我們繼續看這個函數的實作。

We found this line of code

我們發現這行程式碼

We can see that the function called by the code is determined by data. The first four bytes of data are the signature of _burn, so burn essentially calls _burn.

我們可以看到，程式碼呼叫的函數是由資料決定的。資料的前四個位元組是_burn的簽名，因此burn本質上是一個呼叫_burn。

We can see that _burn calls pool.strategy.burnHook(msg.sender, key, burnAmount,supply) again, and the processing of the pool's reserver comes after this code. So, the problem lies here. The address of the strategy contract of the pool corresponding to the trading pair can be controlled by the attacker. In this attack, the attacker wrote the address as his own attack contract address: 0x32fb1bedd95bf78ca2c6943ae5aeaeaafc0d97c1 .

我們可以看到_burn再次呼叫了pool.strategy.burnHook(msg.sender, key, burnAmount,supply)，而池的reserver的處理發生在這段程式碼之後。那麼，問題就出在這裡。交易對應的礦池的策略合約地址可以被攻擊者控制。在本次攻擊中，攻擊者將該位址寫入為自己的攻擊合約位址： 0x32fb1bedd95bf78ca2c6943ae5aeaeaafc0d97c1 。

When the contract process reaches the BurnHook of the attacking contract, burn is called again to complete the reentrancy attack.

當合約程序到達攻擊合約的BurnHook時，再次呼叫burn，完成重入攻擊。

The attacker took out 264 WETH and 133 WETH from the CloberDEX contract through this vulnerability, and made a profit of 133.7 ETH after repaying the flashloan loan, which is about 500,000 USD.

攻擊者透過漏洞從 CloberDEX 合約中取出 264 WETH 和 133 WETH，在償還閃貸後獲利 133.7 ETH，約 50 萬美元。

The main cause of this vulnerability is that the CloberDEX project contract did not perform reentrancy detection and protection in the code for obtaining and destroying LP Tokens, and the state variables were updated after the contract was called, which eventually led to the attacker using the reentry vulnerability to empty the project's WETH. It is recommended that the project party should conduct multi-party verification when designing the economic model, price calculation mechanism and code operation logic, and try to select multiple audit companies for cross-audit when auditing the contract before it goes online.

該漏洞的主要原因是CloberDEX專案合約在取得和銷毀LP Token的程式碼中沒有進行重入偵測和保護，而合約呼叫後狀態變數被更新，最終導致攻擊者利用重入清空專案 WETH 的漏洞。建議專案方在設計經濟模型、價格電腦制和程式碼運作邏輯時進行多方驗證，並在合約上線前審核時盡量選擇多家審核公司進行交叉審核。