Notional received a critical bug report from a whitehat hacker and disabled the affected code in less than 1 hour.
The affected method is called enableBitmapCurrency. This method is not accessible via the Notional UI and must be called directly. It is currently disabled and will revert if called. The method enables an account to utilize a different portfolio structure than normal.
- An attacker would first enable their bitmap currency on their account, eg. ETH.
- They would then deposit a second currency into their account, eg. DAI.
- At this point, the system would recognize that a free collateral check would need to inspect both ETH and DAI assets and balances (at this point everything is working properly).
- They would then call enableBitmapForAccount a second time, switching their bitmap currency to DAI. Due to a logic error in the smart contract code, this would result in the system believing that it would have to check DAI twice in free collateral, effectively doubling the DAI collateral believed to be present in the account.
- At this point the attacker could borrow in significant amounts without sufficient collateral, giving them the ability to drain funds.
Notional submitted their code for audit by three independent audit firms. The affected code was present in all three of these audits. We also submitted our code for formal verification. The affected code was subject to a formal verification check explicitly designed to detect this particular vulnerability, but due to human error the check was not properly constructed and did not function as intended. Certora will issue a report detailing why that check did not work as intended in the coming days.
DefiDollar, a multichain DeFi protocol was able to stop an attack before it happened.
Nethermind built a system that detects when an Ethereum account is funded with ETH from Tornado Cash and deploys a contract. It then analyzes the events and notifies respective teams.