Unraveling the $90K Mystery: Inside Ramses Exchange's Reward Exploit

On October 24th, 2024, Ramses Exchange on Arbitrum faced a sophisticated heist, losing over $90,000 due to a critical flaw in its reward distribution logic. An attacker uncovered a vulnerability that allowed them to claim rewards repeatedly across multiple tokenIds without ever decreasing the total rewards supply. By strategically depositing tokens and invoking getPeriodReward() with various NFTs, the attacker exploited the contract’s vulnerability to track reward limits per period, effectively draining the reward pools and executing a masterful raid on the exchange's assets.

Ramses is a next-generation AMM designed to serve as Arbitrum's central liquidity hub, combining the secure and battle-tested superiority of Uniswap v3 with a custom incentive engine, vote-lock governance model, and streamlined user experience.

Ramses Token Contract Address: 0xaaa6c1e32c55a7bfa8066a6fae9b42650f262418 

Attack Transaction Hash: 0xb91c4e0debaf0feb1f20c979eebc1282c8024ae299ef5903591badcf1f4938bb 

Attacker’s Address:
 0x1d8b0Ee375750839567f266FA75f6FBc9D6B977c

1. The attacker discovered a vulnerability in Ramses Exchange’s reward distribution logic, which allowed rewards to be claimed multiple times without reducing the total rewards supply.
    
2. The attacker called the getPeriodReward() function with different NFT tokenIds, enabling them to claim rewards. 
    
3. The contract failed to decrease tokenTotalSupplyByPeriod after each reward claim, leading to an inflated total reward supply.
   
   
    
4. The attacker reset or split the original NFT into new tokenIds (e.g., from 18785 to 18787) to bypass the claim-tracking variable veWithdrawnTokenAmountByPeriod .
    
5. The new tokenIds allowed the attacker to repeatedly claim rewards as if they were different NFTs.
    
6. The attacker specified arbitrary period values in the getPeriodReward() function, allowing them to access previously unclaimed rewards from earlier periods due to the contract’s lack of period validation against the current time.
   
   
    
7. By repeatedly invoking getPeriodReward() and exploiting the inflated tokenTotalSupplyByPeriod, the attacker drained significant rewards from the exchange.
    
8. The attacker successfully transferred the stolen funds, resulting in a total loss of over $90,000 for Ramses Exchange.

The root cause of the Ramses Exchange hack was a flaw in the reward distribution logic within the FeeDistributor contract. Specifically, the contract failed to decrease the tokenTotalSupplyByPeriod after each reward claim, resulting in an inflated reward supply. This oversight allowed the attacker to repeatedly claim rewards without a corresponding reduction in available rewards. Additionally, the getPeriodReward() function did not validate if the specified period matched the current time, enabling the attacker to exploit past periods for unclaimed rewards. 

The attacker deposited tokens, repeatedly invoked the getPeriodReward() function with different NFT tokenIds to claim excess rewards, and then transferred the stolen funds out of Ramses Exchange, resulting in a loss of over $90,000. Here’s the fund flow:

Here is what Ramses responded to the exploit in their discord: ”funds are safe. Liquidity provider funds are safe. User veNFT positions are safe.”

1. Properly Decrementing tokenTotalSupplyByPeriod: Ensure that the tokenTotalSupplyByPeriod is decreased appropriately after each reward claim to prevent inflated reward calculations.
    
2. Tracking Claims Per TokenId: Implement a robust mechanism to track rewards claimed per tokenId accurately, preventing the same tokenId from being used to claim rewards multiple times.
    
3. Enforce strict validation of the period values in the getPeriodReward() function to ensure they align with the current time and prevent retroactive claims.
    
4. Conducting Thorough Audits: Engage reputable audit firms like QuiilAudits to conduct comprehensive security audits and fix potential vulnerabilities before they can be exploited.

Choosing a reputable audit firm like QuillAudits ensures that your protocol undergoes rigorous scrutiny from experienced security professionals. QuillAudits specializes in uncovering critical vulnerabilities and providing actionable remediation strategies. Our expertise helps safeguard your project from attacks, ensuring that security issues are addressed proactively.