Try   HackMD

Update on Solidly v1 and Recent Attacks

What happened

Over the past few days the Solidly v2 team has performed a series of attacks on Solidly v1 rendering various aspects of Solidly v1 and Solidex inoperable. That said Your funds are safe.

The reason we've done this is to bring awareness to the fact that Solidly v1 and Solidex are susceptible to numererous attacks which anyone can perform. Developers of Soldily v2 have tried in the past discussing various attack vectors with both the Solidly v1 team and Solidex and have been met mostly with silence or denial.

As such, we believe the most responsible course of action is to demonstrate the attacks ourselves, such that the issues with Solidly v1 and Solidex can no longer be ignored.

We believe users of Soldily and Solidex deserve the straightforward truth: that many aspects of Solidly v1 and Solidex are broken beyond repair.

The following attacks were performed

1.) Denial of service (DoS) attack on the global gauge index for many pools

Results:

  • SOLID rewards cannot be claimed by anyone on the base layer
  • Solidex users are unable to deposit or withdraw their LPs (temporarily)

Notes:

  • Even before our attacks many Solidex users have discovered they are unable to withdraw their LPs, a problem which has been widely ignored by the Solidex protocol (0xDAO devs have been helping users withdraw from Solidex for the past 6 momths)
  • 0xDAO realized this issue early on and built in a protection mechanism to the protocol:
  • When the global gauge or bribe indexs are out of sync we withdraw funds into a local buffer to prevent withdrawal issues

2.) Perform a DoS attack on global bribe sync index for many pools

Results:

  • Users cannot claim bribes on the Soldily v1 base layer

3.) Demonstrate a new attack vector that allows any user to permanently brick any other user's ability to claim bribes for a specific NFT

Results:

  • Solidex users will never be able to claim bribes again for a small number of pools

Note:

  • This attack can be used in conjunction with several other exploits to drain all bribes for Solidly v1

4.) Utilize Solidex's NFT to perform a double spend bribe claim attack on Solidly base layer

Results:

  • Solidex rewards distributor gets double rewards
  • Some users are no longer able to claim bribes

Notes:

  • If we had performed this attack using another NFT Solidex users would in some cases be prevented from claiming fees (since the bribe contract does not have enough funds), in which case Solidex users would be unable to withdraw their LP

5.) Perform 51% attack on Solidly v1

Results:

  • All SOLID emissions go only to the fake JOKER/RETURNS pool
  • No one gets any SOLID emissions this week

Notes:

  • The Solidly v2 team has the ability to shut down all Solidly v1 emissions forever

Source code

We believe it is in the best interest of the community to share the source code for all attacks for a few reasons:

  • It's important for people to understand the issues with Solidly v1
  • It is better to be honest and up-front about all Solidly and Solidex issues than to pretend they don't exist

Code for attacks #1-3

https://ftmscan.com/address/0x86f6b698eb6e3769f9a649a8d3c2ca8f74f5a992#code

Code for attack #4

https://ftmscan.com/address/0x6ffa6a7589961c28ea1cc7aea4a17289b291d330#code

Other attack vectors

In addition to the attacks that were performed, there are other types of attacks that we could have performed but did not

Steal all Solidex votes

We've seen that for the past couple weeks Solidex vote's have been stolen by the ELITE team to direct all Solidex votes to the WFTM/ELITe pool

How it works

  • At 00:00:00 UTC upon the epoch change do the following (ideally atomiclly)
    • Call submitVotes() on Solidex voter
    • Vote for the pools you want on Solidex voter
    • Call update_period() on minter

Result

  • The majority of Solidex votes will be redirected to the pool of your choice

Cause Solidex voter to run out of gas and be unable to submit votes

How it works

  • Solidex voter allows users to vote for up to 50 pools
  • Voting for 50 pools uses roughly 10m gas (executing submitVotes has to be called from within a node in order to not run out of gas)
  • The gas amount needed to vote for a pool is different depending on whether the pool is new or not
    • This is because SSTORE costs more when changing storage slot values from zero to non-zero than from non-zero to non-zero
  • TLDR:
    • Make 50 new pools and vote for them
    • Solidex will no longer be able to submit votes as gas usage will cost around 13m and will run out of gas

Moving forward

  • We have temporarily repaired all pools
  • If your funds become stuck again on Solidex we've made a tool for you to unstuck your funds: https://solidly.com/repair
  • Anyone can attack Solidly v1 and Solidex at any time
  • If you keep your funds in Solidex there is a chance they could get stuck

0xDAO Burning their veNFT

0xDAO confirmed to burn their veNFT, so APRs on their platform will also be 0% going forward and thus there is no more usecase for oxSOLID and OXD on Fantom as of today. We recommend all oxSOLID and OXDv2 holders to immediately upgrade in order to retain token functionality and APRs in the future. The time-window of the migration will be closed soon.

How to upgrade

As outlined in our previous Medium article (https://medium.com/@seraph333/decf1033a05f), we took a deep dive into Solidly over the past 6 months, finding and fixing even many more issues than the ones listed above. You can upgrade all of your Solidly ecosystem tokens over on https://solidly.com, if you have any questions please join our Discord channel and we’ll be offering a helping hand.

Summary

  • We deeply respect the work of Andre and Anton
  • Although we have discovered many issues with Solidly v1, we respect and appreciate the innovation of Solidly
  • We will begin to share our findings and code over the next 6 months as we transition to Ethereum
  • We encourage everyone to migrate to Solidly v2 (which we will refer to as only "Solidly" from now on) moving forward
Last changed by 
c30
0
1878

Read more

Solidly Test Cases

Liquidity [ ] Create new pair [ ] Add liquidity using two ERC20 tokens [ ] Add liquidity using FTM and ERC20 [ ] Withdraw liquidity using two ERC20 tokens [ ] Withdraw liquidity using FTM and ERC20 [x] Stake LP [x] Staked amount updates

Nov 22, 2022
Remaining UI Work

[ ] Update all inputs to not be pitch black Not this Instead [ ]

Nov 10, 2022
Protocol classes (with forks)

Lending & Borrowing Compound (Cream, Scream, DOLA) Fixed forex Aave (Geist) Maker (Abra, Unit, Liquity) Not true 1:1 forks, but similar in spirit

Jun 4, 2022
Untitled

Solidly Upgrade After careful consideration and a thorough investigation of all known bugs and issues with Solidly, we have come to the conclusion that it’s in the best interest of the community and the ecosystem as a whole to fix all existing issues -- culminating in a fork of the original Solidly code. Our goal is to maximize the value to all stakeholders of the current Solidly ecosystem and to transform Solidly into the #1 exchange in crypto. Additionally, Solidly will serve as a deep liquidity pool and as a secondary market for upcoming Deus Finance products, including forex pairs, derivatives, synthetics, futures, options and stocks. We have garnered support of both Solidex and 0xDAO, who support this upgrade in the strongest terms possible. The key issues with the current Solidly implementation that we are addressing are:

Apr 13, 2022
Read more from c30
Published on HackMD