bg

Unraveling the $90K Mystery: Inside Ramses Exchange's Reward Exploit

Updated at: October 30, 20247 Mins Read

Author:QuillAudits Team

Overview

On October 24th, 2024, Ramses Exchange on Arbitrum faced a sophisticated heist, losing over $90,000 due to a critical flaw in its reward distribution logic. An attacker uncovered a vulnerability that allowed them to claim rewards repeatedly across multiple tokenIds without ever decreasing the total rewards supply. By strategically depositing tokens and invoking getPeriodReward() with various NFTs, the attacker exploited the contract’s vulnerability to track reward limits per period, effectively draining the reward pools and executing a masterful raid on the exchange's assets.

 

About Project

Ramses is a next-generation AMM designed to serve as Arbitrum's central liquidity hub, combining the secure and battle-tested superiority of Uniswap v3 with a custom incentive engine, vote-lock governance model, and streamlined user experience.

 

Exploit Details

Secure Your Smart Contracts with QuillAudits

Ready to secure your smart contracts? Take the first step towards a safer blockchain journey. Request an Audit with QuillAudits today & ensure your contracts are robust and secure!

Check Our Pricingarrow

Attack Process

  1. The attacker discovered a vulnerability in Ramses Exchange’s reward distribution logic, which allowed rewards to be claimed multiple times without reducing the total rewards supply.
     
  2. The attacker called the getPeriodReward() function with different NFT tokenIds, enabling them to claim rewards. 
     
  3. The contract failed to decrease tokenTotalSupplyByPeriod after each reward claim, leading to an inflated total reward supply.

    attack flow
     
  4. The attacker reset or split the original NFT into new tokenIds (e.g., from 18785 to 18787) to bypass the claim-tracking variable veWithdrawnTokenAmountByPeriod .
     
  5. The new tokenIds allowed the attacker to repeatedly claim rewards as if they were different NFTs.
     
  6. The attacker specified arbitrary period values in the getPeriodReward() function, allowing them to access previously unclaimed rewards from earlier periods due to the contract’s lack of period validation against the current time.

    attack process
     
  7. By repeatedly invoking getPeriodReward() and exploiting the inflated tokenTotalSupplyByPeriod, the attacker drained significant rewards from the exchange.
     
  8. The attacker successfully transferred the stolen funds, resulting in a total loss of over $90,000 for Ramses Exchange.

 

The Root Cause

The root cause of the Ramses Exchange hack was a flaw in the reward distribution logic within the FeeDistributor contract. Specifically, the contract failed to decrease the tokenTotalSupplyByPeriod after each reward claim, resulting in an inflated reward supply. This oversight allowed the attacker to repeatedly claim rewards without a corresponding reduction in available rewards. Additionally, the getPeriodReward() function did not validate if the specified period matched the current time, enabling the attacker to exploit past periods for unclaimed rewards. 

 

Flow of Funds

The attacker deposited tokens, repeatedly invoked the getPeriodReward() function with different NFT tokenIds to claim excess rewards, and then transferred the stolen funds out of Ramses Exchange, resulting in a loss of over $90,000. Here’s the fund flow:

flow of funds

Report Mockup

Secure Your Web3 Journey

The QuillAI Network is the AI layer for web3 security. With AI agents for solidity (QuillShield) and due diligence (QuillCheck) helping safeguard contracts, transactions, and wallets, QuillAI is empowering web3 users and builders to tke charge of their security needs.
Launch AI Agents

Post Exploit Scenes

Here is what Ramses responded to the exploit in their discord: ”funds are safe. Liquidity provider funds are safe. User veNFT positions are safe.

post exploit scene

 

How could they have prevented the Exploit?

  1. Properly Decrementing tokenTotalSupplyByPeriod: Ensure that the tokenTotalSupplyByPeriod is decreased appropriately after each reward claim to prevent inflated reward calculations.
     
  2. Tracking Claims Per TokenId: Implement a robust mechanism to track rewards claimed per tokenId accurately, preventing the same tokenId from being used to claim rewards multiple times.
     
  3. Enforce strict validation of the period values in the getPeriodReward() function to ensure they align with the current time and prevent retroactive claims.
     
  4. Conducting Thorough Audits: Engage reputable audit firms like QuiilAudits to conduct comprehensive security audits and fix potential vulnerabilities before they can be exploited.

 

Why QuillAudits?

Choosing a reputable audit firm like QuillAudits ensures that your protocol undergoes rigorous scrutiny from experienced security professionals. QuillAudits specializes in uncovering critical vulnerabilities and providing actionable remediation strategies. Our expertise helps safeguard your project from attacks, ensuring that security issues are addressed proactively.

QuillAudits Team

QuillAudits Team

The QuillAudits team, comprises of expert security researchers & auditors in Web3 security, has completed 1,000+ audits across Ethereum, Polygon, Solana, Arbitrum, BSC, and more, securing $30B+ with 0 exploits, advancing the blockchain ecosystem

TwitterLinkedInTelegram

Subscribe to our Newsletter

Get Pure Alpha Straight to Your Inbox. Miss this, and you’re missing out. Insider Secrets - Delivered Right to You. Subscribe now.

Telegram