闪电贷攻击导致 Base 上的 CloberDEX 损失 50 万美元

近期，我们监测到一起针对 Base 项目 CloberDEX 的链上攻击。被攻击项目为CluberDEX，攻击者获得约

Recently, an on-chain attack was detected against CloberDEX, a project on Base. The attacker gained about 133 ETH, or about 500,000 USD, through this attack.

近期，Base 项目 CloberDEX 被检测到链上攻击。攻击者通过这次攻击获得了约 133 ETH，即约 500,000 美元。

The attacked project is CloberDEX, and its main functions are as follows: open a new trading pool containing trading pairs A to B and B to A, and each trading pair also contains a preset trading strategy; mint is to add liquidity to the trading pair and obtain LP Token; burn is to destroy LP Token to obtain the corresponding currency.

被攻击项目为CloberDEX，其主要功能为：开设一个新的交易池，其中包含交易对A到B、B到A，每个交易对还包含预设的交易策略；铸币是为交易对增加流动性并获得LP Token；销毁就是销毁LP Token以获得相应的货币。

Let's take a look at the attack process:

我们看一下攻击过程：

First, the attacker borrowed 267 WETH from Morpho Blue using flashloan.

首先，攻击者使用闪贷从 Morpho Blue 借了 267 WETH。

Then, the attacker used open to open two trading pairs on CloberDEX, namely Token/WETH and WETH/Token, where Token is a contract deployed by the attacker himself.

然后，攻击者使用open在CloberDEX上开设了两个交易对，分别是Token/WETH和WETH/Token，其中Token是攻击者自己部署的合约。

Then, the attacker used mint to transfer 267 WETH and 267 Token to the newly opened trading pair to add liquidity and obtain LP Token.

然后，攻击者使用mint将267 WETH和267 Token转移到新开设的交易对中，以增加流动性并获得LP Token。

So far, there is no problem. Finally, the attacker uses burn to destroy the LP Token just obtained. Let's take a look at the specific implementation of burn;

到目前为止，没有问题。最后，攻击者使用burn来销毁刚刚获得的LP Token。我们来看看burn的具体实现；

The control flow goes to the lock function. Similarly, let's take a look at the specific implementation of lock;

控制流程进入锁定功能。同样，我们看一下lock的具体实现；

As you can see, the lock function passes bytes caldata data to the lockAcquired function. Let's continue to look at the implementation of this function.

如您所见，lock 函数将字节 caldata 数据传递给 lockAcquired 函数。我们继续看这个函数的实现。

We found this line of code

我们发现这行代码

We can see that the function called by the code is determined by data. The first four bytes of data are the signature of _burn, so burn essentially calls _burn.

我们可以看到，代码调用的函数是由数据决定的。数据的前四个字节是_burn的签名，因此burn本质上是调用_burn。

We can see that _burn calls pool.strategy.burnHook(msg.sender, key, burnAmount,supply) again, and the processing of the pool's reserver comes after this code. So, the problem lies here. The address of the strategy contract of the pool corresponding to the trading pair can be controlled by the attacker. In this attack, the attacker wrote the address as his own attack contract address: 0x32fb1bedd95bf78ca2c6943ae5aeaeaafc0d97c1 .

我们可以看到_burn再次调用了pool.strategy.burnHook(msg.sender, key, burnAmount,supply)，并且池的reserver的处理发生在这段代码之后。那么，问题就出在这里。交易对对应的矿池的策略合约地址可以被攻击者控制。在本次攻击中，攻击者将该地址写入为自己的攻击合约地址： 0x32fb1bedd95bf78ca2c6943ae5aeaeaafc0d97c1 。

When the contract process reaches the BurnHook of the attacking contract, burn is called again to complete the reentrancy attack.

当合约进程到达攻击合约的BurnHook时，再次调用burn，完成重入攻击。

The attacker took out 264 WETH and 133 WETH from the CloberDEX contract through this vulnerability, and made a profit of 133.7 ETH after repaying the flashloan loan, which is about 500,000 USD.

攻击者通过该漏洞从 CloberDEX 合约中取出 264 WETH 和 133 WETH，偿还闪贷后获利 133.7 ETH，约合 50 万美元。

The main cause of this vulnerability is that the CloberDEX project contract did not perform reentrancy detection and protection in the code for obtaining and destroying LP Tokens, and the state variables were updated after the contract was called, which eventually led to the attacker using the reentry vulnerability to empty the project's WETH. It is recommended that the project party should conduct multi-party verification when designing the economic model, price calculation mechanism and code operation logic, and try to select multiple audit companies for cross-audit when auditing the contract before it goes online.

该漏洞的主要原因是CloberDEX项目合约在获取和销毁LP Token的代码中没有进行重入检测和保护，而合约调用后状态变量被更新，最终导致攻击者利用重入清空项目 WETH 的漏洞。建议项目方在设计经济模型、价格计算机制和代码运行逻辑时进行多方验证，并在合约上线前审核时尽量选择多家审核公司进行交叉审核。