On October 24th, 2024, Ramses Exchange
on Arbitrum faced a sophisticated heist, losing over $90,000 due to a critical flaw in its reward distribution logic. An attacker uncovered a vulnerability that allowed them to claim rewards repeatedly across multiple tokenIds without ever decreasing the total rewards supply. By strategically depositing tokens and invoking getPeriodReward() with various NFTs, the attacker exploited the contract’s vulnerability to track reward limits per period, effectively draining the reward pools and executing a masterful raid on the exchange's assets.
Ramses is a next-generation AMM designed to serve as Arbitrum's central liquidity hub, combining the secure and battle-tested superiority of Uniswap v3 with a custom incentive engine, vote-lock governance model, and streamlined user experience.
Ramses Token Contract Address: 0xaaa6c1e32c55a7bfa8066a6fae9b42650f262418
Attack Transaction Hash: 0xb91c4e0debaf0feb1f20c979eebc1282c8024ae299ef5903591badcf1f4938bb
Attacker’s Address:
0x1d8b0Ee375750839567f266FA75f6FBc9D6B977c
Ready to secure your smart contracts? Take the first step towards a safer blockchain journey. Request an Audit with QuillAudits today & ensure your contracts are robust and secure!
veWithdrawnTokenAmountByPeriod
.getPeriodReward()
function, allowing them to access previously unclaimed rewards from earlier periods due to the contract’s lack of period validation against the current time.getPeriodReward()
and exploiting the inflated tokenTotalSupplyByPeriod
, the attacker drained significant rewards from the exchange.
The root cause of the Ramses Exchange hack was a flaw in the reward distribution logic within the FeeDistributor contract. Specifically, the contract failed to decrease the tokenTotalSupplyByPeriod after each reward claim, resulting in an inflated reward supply. This oversight allowed the attacker to repeatedly claim rewards without a corresponding reduction in available rewards. Additionally, the getPeriodReward() function did not validate if the specified period matched the current time, enabling the attacker to exploit past periods for unclaimed rewards.
The attacker deposited tokens, repeatedly invoked the getPeriodReward() function with different NFT tokenIds to claim excess rewards, and then transferred the stolen funds out of Ramses Exchange, resulting in a loss of over $90,000. Here’s the fund flow
:
Here is what Ramses responded to the exploit in their discord: ”funds are safe. Liquidity provider funds are safe. User veNFT positions are safe.”
tokenTotalSupplyByPeriod
: Ensure that the tokenTotalSupplyByPeriod
is decreased appropriately after each reward claim to prevent inflated reward calculations.getPeriodReward()
function to ensure they align with the current time and prevent retroactive claims.
Choosing a reputable audit firm like QuillAudits ensures that your protocol undergoes rigorous scrutiny
from experienced security professionals. QuillAudits specializes in uncovering critical vulnerabilities and providing actionable remediation strategies. Our expertise helps safeguard your project from attacks, ensuring that security issues are addressed proactively.
Get Pure Alpha Straight to Your Inbox. Miss this, and you’re missing out.
Insider Secrets - Delivered Right to You. Subscribe now.