Re-entrenter the vulnerability again? Analyze the attack on Stars Arena

background

According to the security warning of the Slow MistEye system, on October 7, 2023, the Stars Arena, the Avalanche on-chain social protocol, was attacked, resulting in a loss of about $2.9 million. The Slow Mist security team briefly analyzed the attack and shared the results below.

Related information

Attacker Address:

Attack Contract:

Attack Trade:

Attack core

An attacker exploits a reentrancy vulnerability to tamper with the price corresponding to his deposit share. Subsequently, when selling, similar price manipulation is caused by the reliance on the malicious manipulation of price calculations. By precisely calculating the share price updated on reentrant, the attacker steals the funds in the contract.

Transaction analysis

We can find that there is a reentrancy call in the attack transaction, and we analyze the call method step by step by decompiling the code.

! [Re-entrancy again?] Analysis of the attack on Stars Arena] (https://img-cdn.gateio.im/webp-social/moments-69a80767fe-98a298d9bb-dd1a6f-69ad2a.webp)

The attacker first creates an attack contract (0x7f283 and 0xdd9af), calls the 0xe9ccf3a3 method of the Stars Arena: Shares contract through the attack contract, and then deposits 1 AVAX token.

! [Re-entrancy again?] Analysis of the Stars Arena attack] (https://img-cdn.gateio.im/webp-social/moments-69a80767fe-fccaa140dd-dd1a6f-69ad2a.webp)

According to the step-by-step trace of the decompiled code, the 0xe9ccf3a3 method used first by the attacker is a deposit-like function that calls the 0x326c and 0x2058 methods. The 0x326c method is a call that is returned only as a parameter, while the 0x2058 method is similar to a function that handles the purchase or exchange of some kind of token, and the method uses the amount and address of the AVAX tokens passed in by the 0xe9ccf3a3 to calculate the next operation and the calculation of shares and fees.

! [Re-entrancy again?] Analysis of the Stars Arena attack] (https://img-cdn.gateio.im/webp-social/moments-69a80767fe-9279aef172-dd1a6f-69ad2a.webp)

Following the call logic of line 92 of the 0x2058 method, it can be found that the 0x1a9b method is a calculation function, and the calculated result is a value similar to the price, and its return value is the newly calculated v24 / 0xde0b6b3a7640000 or _initialPrice.

The next 109, 110, and 116 lines of the 0x307c and 0x30ef methods have a call to low-level call, and the 0x30ef call is still an external call to g1, that is, the incoming 0xdd9af attack contract address. The function does not have a reentrant-lock constraint, and after the outer call is executed, this method will only execute the subsequent if judgment to update the field0.length and field0 parameters. There is no doubt that reentrancy is happening here.

! [Re-entrancy again?] Analysis of the Stars Arena attack] (https://img-cdn.gateio.im/webp-social/moments-69a80767fe-3c9611d0bb-dd1a6f-69ad2a.webp)

Let's look at the data that the attacker constructs in the reentrancy call.

! [Re-entrancy again?] Analysis of the attack on Stars Arena] (https://img-cdn.gateio.im/webp-social/moments-69a80767fe-ce911c42e9-dd1a6f-69ad2a.webp)

The reentrancy outside calls the 0x5632b2e4 method and passes in four parameters constructed by the attacker, which convert 153005ce00 to 910000000000 by decimal.

As mentioned above, the external call to the 0x5632b2e4 method is executed before the if(g0 == _getMyShares[address(g1)][msg.sender]) judgment. At this time, the field0.lengt value is 0 and is not updated. In this way, the attacker bypasses the judgment in the 0x5632b2e4 method and modifies the state of the following four parameters of msg.sender, that is, the attack contract 0xdd9af, to be constructed when the external call is made.

! [Re-entrancy again?] Analysis of the Stars Arena attack] (https://img-cdn.gateio.im/webp-social/moments-69a80767fe-53695512db-dd1a6f-69ad2a.webp)

After doing this, the attacker called sellShares to sell his share, obtaining 266,102.97278 AVAX.

! [Re-entrancy again?] Analysis of the attack on Stars Arena] (https://img-cdn.gateio.im/webp-social/moments-69a80767fe-54e5a2f231-dd1a6f-69ad2a.webp)

Going deeper into the sellShares function, the function initially calls the 0x1a9b method, which was called in the previous 0x2058 method, which is a function that handles the purchase or exchange of some kind of token. We can see that the 0x2329 method in the 0x1a9b method updates the owner_9f[g0] , and this parameter has been modified to 910000000000 constructed by the attacker on reentrancy.

! [Re-entrancy again?] Analysis of the Stars Arena attack] (https://img-cdn.gateio.im/webp-social/moments-69a80767fe-60823d09ab-dd1a6f-69ad2a.webp)

Back in the 0x1a9b method, recalculate based on the previously maliciously constructed value (see note for calculated amount).

! [Re-entrancy again?] Analysis of the attack on Stars Arena] (https://img-cdn.gateio.im/webp-social/moments-69a80767fe-764b869b64-dd1a6f-69ad2a.webp)

After the above calculation, the price corresponding to the newly calculated share has changed, and the result is 274,333.061476814e18. After a series of fees are charged, the attacker uses malicious constructs to manipulate the price without modifying the share, sell the share, and successfully make a profit.

Summary

At the heart of this attack is the price calculation dependency update caused by the reentrancy attack, which leads to similar malicious price manipulation. The Slow Mist security team suggests that the project team should try to be audited by multiple security companies before deploying the contract. At the same time, when coding, it should meet the Checks-Effects-Interactions coding specification as much as possible, and add anti-reentrancy locking.