Decoding Ara Protocol’s Flash Loan Exploit

Summary

On June 18, 2023, the Ara Protocol on the BNB Chain was attacked due to an access control vulnerability. The hackers exploited this vulnerability to steal around $125K.

About Project

Ara is a content-based protocol that uses decentralized rewards and distribution to deliver content directly to consumers. The Ara token is a BEP20 token that is used by publishers, consumers, and users to deliver content in the system and earn rewards.

To learn more about the Project, check out the official documentation.

Vulnerability Analysis & Impact

On-Chain Details

Attacker Address: 0xf84efa8a9f7e68855cf17eaac9c2f97a9d131366

Attacker Contract: 0x98e241bd3be918e0d927af81b430be00d86b04f9

ARA Token Contract: 0x5542958fa9bd89c96cb86d1a6cb7a3e644a3d46e

Vulnerable Contract: 0x7ba5dd9bb357afa2231446198c75bac17cefcda9

Attack Transaction: 0xd87cdecd5320301bf9a985cc17f6944e7e7c1fbb471c80076ef2d031cc3023b2

The Root Cause

The root cause of the attack was a bug in the lack of proper access control in the contract. Specifically, there was a vulnerability in the ARA’s contract that allowed an attacker to use the approval of other addresses.

The 0xB817E address had a large approval of USDT and ARA tokens to swap contracts. The swap contract failed to implement proper restrictions on the amount of funds that could be transferred by the caller for swapping purposes. This allowed the attacker to exploit the vulnerability and manipulate the price of the token and gain profits.

Attack Process

The attacker initiated a flash loan of 1,202,701 USDT from DODO. Subsequently, the attacker called the swap contract and swapped 163,497 ARA tokens for 123,246 USDT.

Using the entire flash loan amount of 1,202,701 USDT, the attacker swapped it for 504,469 ARA tokens, resulting in a significant increase in the price of the $ARA token.

The attacker then made another call to the swap contract, swapping 132,123 USDT for 12,179 ARA tokens, allowing an approved address to acquire $ARA at an inflated price.

Finally, the attacker executed another swap, swapping the previously acquired 504,469 ARA tokens into 1,327,617 USDT. After repaying the flash loan, the attacker achieved a profit of approximately 125K USDT.

The first attack was unsuccessful due to insufficient gas. A bot was able to front-run the transaction and execute it successfully.

Failed txn: 0xd7926f596154125b573f8f195e08c3eb47be4948d13b1fdfb48282938e122879

The Flow of Funds

Attacker’s Wallets

As of writing this blog, the attacker has around 20 BNB (worth around $4919) in their wallet.

After the Exploit

The project has not made any official announcements or tweets regarding the exploit.

How could they have prevented the Exploit?

Implementing the following measures could have significantly mitigated the risk of the attack and help strengthen the security of the Protocol:

Access Control: The contract should incorporate robust access control mechanisms to ensure that only authorized addresses have the necessary permissions for critical operations. This prevents unauthorized parties from manipulating contract functionalities.

Approval Limitations: The approval process should enforce limitations on the amount of funds granted to other contracts or addresses. By setting appropriate restrictions, the contract can mitigate the potential risks associated with unlimited approvals and reduce the attack surface for potential exploits.

Security Audits: Conduct comprehensive security audits of the smart contract code by reputable third-party firms specializing in smart contract security. These audits can help identify vulnerabilities and weaknesses in the codebase and provide recommendations for strengthening the contract’s security.

Reproducing the hack

We will be using the Foundry framework for POC.

The exploit PoC link can be found here.

Why QuillAudits For Web3 Security?

• QuillAudits is well-equipped with tools and expertise to provide cybersecurity solutions saving the loss of hundreds of protocols in funds.

• Our team of highly skilled auditors have secured over 1M lines of code and $30B in amount.

• Over the course of multiple years, QuillAudits has been proven to be one of the top choices for protocols to get their codebases audited.

Partner with QuillAudits

• OG Program (Opportunities for Listing Managers, KOLs, Top Advisors and Investors with access to early stage Web3 projects)

• QuillAudits Partnership Programme (Venture funds, launchpads, development companies, marketing firms, web2 cybersecurity firms, web3 products)

• WAGSI Program(Claim audit credits to avail exclusive discounts on our auditing package, and additional credits for our automated web3 security infra- QuillShield)