How Was Concentric Finance Exploited?

TL;DR

On January 22, 2024, Concentric Finance was exploited on the Arbitrum chain, which resulted in a loss of 715.7 ETH, worth approximately $1.72 million.

Introduction to Concentric

Concentric is a liquidity aggregator that sources liquidity from multiple DEXs and optimizes the LP position to maximize yield.

Vulnerability Assessment

The root cause of the exploit is the compromise of the deployer wallet through a targeted social engineering attack.

Steps

Step 1:

We attempt to analyze one of the attack transactions executed by the exploiter.

Step 2:

The attacker was able to compromise the deployer key and then upgrade the contract to drain funds from both the vault and the users who approved the token for the contract.

The protocol leveraged upgradable contracts, meaning a compromised admin or the deployer would allow an attacker to upgrade the vaults, mint new tokens, or perform any other core unintended functionalities.

Step 3:

Specifically, the attacker updated the implementation contract of the CONE-1 proxy contract from the original ConeCamelotVault contract to the attacker-controlled contract and then added the admin of adminMint as the address they likely controlled.

function adminMint(uint256 amount) public {
  require(msg.sender == 0x105f52fcC329cEF4CBe25BC946f8a3738414E4A1, "Not admin");
  _burn(0x60D84044e916ac1A22981dA23058591193de3AFc, amount);
  _mint(msg.sender, amount);
}

Step 4:

Thus, using this adminMint function, the attacker burns LP tokens from the LPStaking contract and then mints them for themselves. The attacker repeatedly called adminMint and the burn operations in order to drain funds from the contracts.

Step 5:

Likewise, there’s also an approval bug in one of the affected contracts, in which users who had approved to spend their tokens saw their assets being drained from the contract.

function withdrawFromAdmin(address token, address from) public {
  require(msg.sender == 0xc62A25462A61f02EBAB35Cd39C5E9651426e760b, "Not admin");
  uint256 balance = IERC20(token).balanceOf(from);
  uint256 approval = IERC20(token).allowance(from, address(this));
  IERC20(token).safeTransferFrom(from, msg.sender, approval >= balance ? balance : approval);
}

Step 6:

The stolen funds held at this address were later disbursed to different EOAs. 0x17865c33e40814d691663bC292b2F77000f94c34: $270,918 0x1F14E38666cDd8e8975f9acC09e24E9a28fbC42d: $702,095 0xFD681A9aA555391Ef772C53144db8404AEC76030: $701,959 0x5c0E945Fc1c83D8d10E9c6366E2cBC5241532AEc: $153,021

Aftermath

The team acknowledged the occurrence of the incident and stated that they are reviewing a security incident on their protocol. This security breach was the result of a targeted social engineering attack on one of their team members holding the deployer wallet. This incident led to unauthorized access and subsequent exploitation of their protocol. A later post-mortem report by the team stated that they currently have 8 ETH, along with some USDC left in the CONE-USDC LP; therefore, the protocol will be entirely halted till a foreseeable future.

Solution

To effectively address and mitigate the risks highlighted by the Concentric Finance exploit, a comprehensive and multifaceted approach is essential. Firstly, users who have granted token approvals to the affected contracts should promptly revoke these approvals. Additionally, the suspension of operations by the Concentric team serves as a stark reminder of the importance of due diligence and vigilance in DeFi interactions. This includes thorough research into a project’s team, security audits, and contract functionality.

The protection of upgradeable contracts is of paramount importance. One key measure is the implementation of a multi-signature wallet for administrative control of these contracts, reducing the risk of a single point of failure. Complementing this, a time lock for contract upgrades allows for community scrutiny and validation of changes prior to activation. Regular security audits, particularly surrounding upgrades, and continuous monitoring for unusual activities are critical for early exploit detection. Additionally, transparent and decentralized governance in contract upgrades, involving community participation in decision-making, enhances the overall security framework.

Central to strengthening security is a complete overhaul of the private key management system. Adopting a multi-signature wallet system is a strategic move, necessitating multiple confirmations for transactions and thus significantly lowering the risk of unauthorized access. Alongside this, transitioning from storing private keys in a single, online environment to incorporating hardware security modules (HSMs) offers a more secure storage solution, greatly reducing the risk of key compromises.

Enhancing this security architecture further is the implementation of a robust cold storage solution. Keeping private keys entirely offline through cold storage markedly reduces their exposure to online attacks. The combination of cold storage with a multi-signature system creates a dual layer of defense. These measures are not only crucial for the secure storage and management of assets but also play an integral role in re-establishing and sustaining user trust in the platform’s security protocols.

A notable aspect of the exploit was also the human element, particularly vulnerability to phishing and social engineering attacks. Addressing this calls for a comprehensive employee training program centered on security awareness.

This article was originally published by Pukar Acharya elsewhere.




    Enjoy Reading This Article?

    Here are some more articles you might like to read next:

  • Unlocking the Power of Uniswap V4 Hooks
  • Preprocessing Unstructured Data for LLM Applications
  • Fine-Tuning Large Language Models
  • Guide to LangChain for LLM Development
  • The Art of ChatGPT Prompt Engineering