Clipper Dec 24 Exploit Post-Mortem

On Sunday, December 1st, an attacker(s) exploited a vulnerability in a smart contract used by Clipper and manipulated the single-asset deposit and withdrawal feature. This manipulation affected the liquidity pools for the Optimism and Base networks and caused a pool imbalance that allowed the attacker to withdraw more assets than they deposited. The attack compromised approximately $457,878. within several hours, the AdmiralDAO activated and executed its emergency response procedures by taking immediate steps to secure the remaining funds on the protocol, and stop the attack. Following the response, no additional funds were compromised.

Incident Details

• Date/Time of Incident: Sunday, December 1st, around 4:00 AM GMT (11pmET) to 5:00 PM GMT
• Affected Platforms:
  • Optimism Network: Clipper Optimism Pool at 0x5130f6ce257b8f9bf7fac0a0b519bd588120ed40
  • Base Network: Clipper Base Pool at 0xb32d856cad3d2ef07c94867a800035e37241247c
• Unaffected Platforms: Other chains and pools like Arbitrum, Mantle, Polygon PoS, zkEVM, and Mainnet.
• Type of Attack: Exploitation of the single-asset deposit and withdrawal feature combined with manipulations that caused pool imbalances

Technical Analysis

Attack Vector

The attacker(s) exploited the single-asset deposit and withdrawal feature. This feature is designed to enable users to deposit or withdraw their funds using just one asset instead of the full mix of pool assets. By using swaps to manipulate the balance of pools with low TVL, the attacker changed the pool's state after getting the initial deposit signature but before completing the transaction, resulting in a profit.

How the Exploit Worked

Please note, the attack vector and execution steps described below are provided based on information known to AdmiralDAO at this time. Additional facts and analysis may impact the accuracy of the description, but is being provided to you to for transparency and to convey the essence of the attack vector and method.

1. Getting a Deposit Signature:
   • The attacker(s) requested a signature for many (in the thousands) single-asset deposits through Clipper’s public API.
   • They received a pool_tokens amount corresponding to their deposits, but did not yet execute the transaction.
2. Manipulating the Pool Balance:
   • They performed a swap and sent in extra ETH along with the swap input, which increased the value of the pool_tokens.
   • This was possible because of the low balances of the Optimism and Base pools, in which a small amount of additional input assets could drive a large proportional increase in pool value.
3. Getting a Withdrawal Signature:
   • They requested a signature for many single-asset withdrawal for the number of pool_tokensthey knew the deposit would return upon execution of the still-valid deposit signature.
   • Due to the manipulated pool state and the multiplicity of deposits and withdrawals, the value extracted was greater than the value of their ETH subsidy in step 2.
4. Executing Both Actions Together:
   • They bundled the deposit and withdrawal into a single transaction.
   • This allowed them to withdraw more assets than they deposited.

Observations

• Targeting Low-Balance Pools:
  • The attacker(s) focused on pools with lower balances and low K values, making it easier to manipulate the pool state. No pools with over $500k TVL were exploited.
• Timing Exploitation:
  • They exploited the time gap between obtaining signatures and executing transactions.

Impact Assessment

• Assessment of Compromised Funds:
  • Optimism Pool: Balance reduced from $318,710 to $22,908.
  • Base Pool: Balance reduced from $197,790 to $35,714.
  • Total Estimated Compromise: Approximately $457,878.
• Operational Impact:
  • All activity on the API was temporarily suspended.

Timeline of Events

• Attack starts
  • 4:14:00 AM GMT: The attacker(s) initiated the exploit by getting deposit signatures.
  • 4:14:31 AM GMT: Performed a swap with extra ETH in the input
  • 4:15:05 AM GMT: Obtained withdrawal signatures and executed bundled transactions.
• Response:
  • 1:00 PM GMT (Sunday, 8:00 AM ET): Consistent with preestablished emergency response protocols, the API was paused and an investigation into the attack was initiated.

Immediate Actions

• Disabled API Endpoints:
  • 1:00 PM GMT: Temporarily shut down API endpoints that provide access to swaps, deposit and withdrawals.
• Launched Investigation:
  • 1:00 PM GMT: AdmiralDAO began analyzing logs and transaction data to identify a preliminary root cause.
• Contact with Security teams:
  • 2:00 PM GMT (9:00 AM ET): Outreach was made to Hypernative (who proactively contacted us first), Quantstamp, and SEAL 911 to help investigate the issue.

Root Cause Analysis

• Small pools allowed for imbalances and exploitation:
  • Low balances and low k values combined with low transaction costs on L2s made pools more vulnerable to manipulation. Base and Optimism were the two smallest pools, and Optimism had a 5x lower k value than any other chain. As a result, the Optimism and Base pools were more vulnerable.
• Protections built to prevent malicious swaps were not applied to single-asset deposits/withdrawals (which include a swap).
  • Lack of On-Chain Validation: Clipper's smart contracts validate pool invariants and check for significant state changes during execution of normal swaps, but that was not customary on single-asset withdrawals because of an additional fee that mitigated arbitrage in the past.
  • API Limitations: The API endpoints have mechanisms to detect abnormal request patterns and prevent misuse for normal swaps (e.g. thousands of swaps from similar sources and wallets that have characteristics of bots), but that was not customary on single-asset withdrawals because of an additional fee that mitigated arbitrage in the past.
• Recent updates introduced a bug in Clipper's Circuit-breaker:
  • Clipper includes an off-chain circuit-breaker as an added safeguard to pause swaps in the event of significant balance changes in the pools. A recent database upgrade, implemented to enable the future possibility to support multiple pools on each chain, introduced an unexpected interaction with the circuit-breaker logic that had not been detected in the testing environment. This has since been addressed.

Potential Remediation Actions

Contract Enhancements

• Extend Invariant Checks:
  • Implement on-chain validations to ensure pool invariants are consistent during single asset withdrawals, like Clipper already does for swaps in the latest contract version.
• Extend Oracle Price Validation:
  • Integrate on-chain price oracles validation to asset values on deposits and withdrawals, like Clipper already does for swaps in the latest contract version.
• Consider implementing a short lockup on deposits
  • If new deposits were locked up for longer than deposit signatures are valid (e.g. a couple minutes), the attack would not have been possible.

API and Backend Security Improvements

• Circuit-breaker (automated halts):
  • Extend the circuit-breaker system to automatically halt deposit and withdrawal actions if abnormal behavior in the pool or in deposit/withdrawal activity is detected. Extend test-cases and implement periodic stress-testing.
• Extend Behavioral Monitoring:
  • Add systems to detect bot-like behavior and abnormal API usage on deposit and withdraw endpoints, like Clipper already does for normal swaps. For example, denying too many repeat quote requests).
• Configuration safeguards:
  • Implement defensive code against abnormal configurations for the k parameter on the pool, expiration times for deposit and withdraw signatures, and lock times for deposits.
  • Create internal dashboard for API/pool configuration so all contributors can see existing settings and API status, enabling them to voice disagreement.

Consider Proactive Monitoring

• Security firms such as Hypernative and Hexagate identified potentially suspicious onchain behavior in advance of the exploit. While it is not clear whether this could have prevented the exploit, it is worth exploring. Early warnings could be used to prompt preventative investigations or even trigger the circuit-breaker.

Engage an investigations firm to trace and recover funds

AdmiralDAO, incorporated in the Republic of the Marshall Islands, is engaging ZeroShadow, an incident response firm, to trace and attempt recovery of funds.

Resources

Transaction Details

• Attacker's Address:
  • 0x318c6ca86749f17bf43b78aefd83acd8988c2029
• Notable Transactions:
  • Optimism Exploit Transaction
  • Base Exploit Transaction
• Involved Addresses:
  • A comprehensive list can be found in this Dune Analytics Query.

Smart Contract References

• Optimism Pool Contract:
  • 0x5130f6ce257b8f9bf7fac0a0b519bd588120ed40
• Base Pool Contract:
  • 0xb32d856cad3d2ef07c94867a800035e37241247c

Additional Resources

• Official Statement:
  • Clipper's Response
• On-Chain Analysis:
  • Dune Analytics Query for Involved Addresses

Appreciation

The crypto security community immediately came to Clipper’s aid and supported assessment and mitigation. Special thanks to Quantstamp, Seal 911, Chaofun Shou, Stephan Dalal, and other third parties who donated their attention, skills and abilities.

FAQ

Was this identified in security audits?

• The exploit took advantage of a combination of known vulnerabilities that, while mitigated individually, were unmitigated in aggregate. In hindsight, additional mitigations can be made more redundant.

Will assets be refunded?

• A tracing and recovery firm has been retained (Zeroshadow). Once the potential for recovery is assessed, methods to finance a refund will be considered. To clarify, there are no guarantees at this time, but neither has the issue been discussed. One thing at a time.

When will Clipper reenable trading?

• Remediations should be able to be implemented in a matter of days. Thereafter, Clipper will perform a security review. Thereafter, Clipper will reactivate trading.

Is there any message for the exploiter?

• Your efforts were technically impressive. Please reach out to negotiate.