Neko Hacking Incident Review
Recently, there have been incidents of hacking on the smart contract lending pools. Unfortunately, one of our client, Maze protocol was among the first to have suffered an attack. We offer our condolences to the Maze team and wish them all the best i their efforts to recover from this attack.
The Maze protocol team has done a splendid job describing a bug. A quick summary: the attacker was able to specify any user who had any tokens available for borrowing and made them their credit delegator, which allowed the attacker to borrow tokens and put a debt onthe credit delegator. You can see their full report here.
We are also very thankful to @PeckShield team for their immediate response to this incident.
If we take a closer look at the classical implementation of the borrowing protocol like Aave v2, we will see that in order to make someone your credit delegator, you need to get their borrow allowance. In case you specify a credit delegator of not your own behalf, borrow allowance is decreased by amount you want to borrow and in case of inability, transaction will be reverted.
Please consider, that if you are planning to change this logic and remove it in case you want to introduce some automatation, all users who have any available tokens for borrowing will become victims. If you really want to do this, you will have to refactor current business logic of contract and implement a whole new piece, otherwise the contract will be vulnerable.
We are currently providing active support to the Maze protocol team (it has been many sleepless nights!) and we are also looking out for projects with the same issues so as not to allow such attacks on them. Stay Safe!