Reaper Farm hack: SmartState overview
The Reaper Farm was hacked recently. An attacker extracted about $1,7M from Reaper Farm Multi-Strategy vaults. Below is the SmartState quick overview of the incident.
The hacker used mis-implementation of the ERC-4626 interface to withdraw user funds to their account. This was made possible by a serious critical vulnerability: recipient’s account verification had not been set up properly, so anyone could withdraw anyone else’s funds.
Key omissions which created the vulnerability
- Failure to perform the usual internal security audit after making changes;
- Lack of external smart contract audits;
- Lack of communication with the white-hat community, even though Reaper Farm had previously established a $200K bounty for bug finding.
Hack implementation
- User 0x5636e55e4a72299a0f194c001841e2ce75bb527a exploited the multi-strategies’ lack of validation and drained user funds into their wallet. This was done in a rapid series of transactions on the Fantom network, most notable being https://ftmscan.com/tx/0xc929f3b9312ff26be0adb1c3ff832dbdafdcbcaad33d002744effd515e53c9d5.
- This user’s funds were bridged from Binance Smart Chain using O3 Network’s cross-chain swap router. They received the BNB for this swap from Tornado cash, and https://tutela.xyz/ marks it as 100% anonymous.
- After the attack, the hacker bridged the funds to Ethereum to the following address: 0x2a038e100f8b85df21e4d44121bdbfe0c288a869. The funds were promptly sent to Tornado Cash for laundering.
Summary
Unfortunately, the Reaper Farm case shows the widespread and surprising carelessness of crypto projects about their code security.
It would be naive to assume that a combination of factors such as failure to follow internal auditing processes, lack of audits by external smart contract auditing companies, and lack of communication with the white-hat community would not ultimately lead to such an unfortunate outcome. As a blockchain security audit company, we in SmartState can say that a good practice in crypto security is not just to check the logic of the code, especially after any changes, but to do the check twice before the release.
Reaper Farm’s recent post-mortem can be found here.
Stay tuned and find out more about us and what we provide on our:
