Potential Vulnerability — Disclosure (2021–11–18)

Summary

  • This vulnerability could have put funds of Idle Protocol’s integrators at risk. It was not exploited. Deposits in Idle protocol have always been safe.
  • A mitigation plan is already in place and the issue removal procedure will be effective next week with IIP-17.
  • All funds are safe. No action is required by partners or users.

Background

William, from Dev League, promptly checked the feasibility of the attack, and with the rest of the team immediately initiated the Pause Guardian procedure to dampen any possible malicious outcome on the partners’ side. This procedure mitigated the issue (ETH tx, Polygon tx1, Polygon tx2) on the affected pools. The `deposit` and `rebalance` functions have been temporarily paused on Ethereum, while `redeem` is still available. More details about the Pause Guardian procedure can be found here.

On Polygon, Leagues updated the contracts via multisig, permanently removing Flash Loan functionality. Polygon strategies are already fully operational and there are no potential drawbacks on integrations’ side.

Within the subsequent hours, the Treasury League initiated the vulnerability management policy and informed all Idle integration partners. Subsequently, it disclosed the findings via Idle communication channels.

Details of vulnerability

  1. Target an Idle integrator that uses Idle’s `tokenPrice` as a price feed for determining its vault token value
  2. Call `flashLoan()` on IdleTokenGovernance contract to temporarily pull off the underlying token supply of the IdleToken. `tokenPrice()` have now a significantly lower value because it depends on the balance of the contract which is now flash loaned
  3. Mint vault shares from Idle integrator, now at a cheap value due to the reliance on `tokenPrice`
  4. Return the flash loan amount minus the fee (`tokenPrice` is now back to the normal value)
  5. Redeem vault tokens from integrator for profit

Details of fix

A more in-depth analysis will be made in the future on a possible fix that would allow flash loans to be offered in the Idle protocol without creating similar issues.

Fix code and implementations can be found in the IIP-17 in our governance forum.

Bug Bounty

We would also like to give credit to the Harvest team for their responsiveness in sharing ideas and analysis regarding the vulnerability and possible outcomes.

Earn the yield you deserve without worrying about finding the best option, whether you want to optimize returns or risks.