Bond Olympus DAO
Total Losses
$300.0K+
Date
Network
Categories
data validationStep-by-step
- Craft and deploy a contract so that it passes the requirements.
- Call
redeem
with the malicious contract as thetoken_
Detailed Description
The attack relies on an arbitrarily supplied token_
parameter. The attacker simply needs to construct a malicious contract as the token_
. Most importantly, it should return a token that has been permitted by the victim contract to move funds when its _underlying()
method is called.
function redeem(ERC20BondToken token_, uint256 amount_)
external
override
nonReentrant {
if (uint48(block.timestamp) < token_.expiry())
revert Teller_TokenNotMatured(token_.expiry());
token_.burn(msg.sender, amount_);
token_.underlying().transfer(msg.sender, amount_);
}
The attacker chose to set _underlying()
to the OHM address.
Luckily for the DAO, the attacker was a whitehack that later returned the funds.
Possible mitigations
- Implement a whitelist of allowed tokens.