On 30 May 2023, the El Dorado Exchange (EDE) Finance project experienced a hack that resulted in a loss of 437,948 $USDC and 86,222 $USDT, equivalent to approximately $520,000 in value.
Attack Analysis
Here are the details related to the attack:
- Attacker’s address: 0x80826E9801420E19a948b8Ef477Fd20f754932DC
- Attacker’s contract: 0x6dd3d2fb02b0d7da5dd30146305a14190e6fb892
- Attack transaction: 0x72574fc0f85ed3c6fb78907fc938ce4d407817b1275bbd8b1ddc6de190550bf0
During the course of this transaction, the attacker successfully manipulated the prices of the tokens involved.
It should be noted that the contract at 0xD067e4B0144841bc79153874d385671Ea4c4e4DF is not open source. After decompiling the contract, the key function that was identified is as follows:
The attack involved exploiting the “updateWithSig” function of the oracle contract, which typically requires authentication. However, in this case, the closed-source contract mentioned earlier served as the updater for the oracle contract. As part of the attack strategy, the attacker initially invoked the “func_147d9322” function within the closed-source contract.
This function, in turn, called the “updateWithSig” function of the oracle to manipulate the token prices. Subsequent transactions were then utilized to carry out the attack effectively.
Post-Attack Events
After the attack, the attacker chose to return 86,222 USDT and 333,948 USDC, effectively giving back a portion of the stolen funds. However, they still managed to retain a profit of $100,000.
Lunaray Sec, the security auditing team responsible for evaluating EDE Finance’s security measures, has released a statement in response to the incident. They affirmed that EDE Finance had successfully passed their security audit and have initiated communication with the official team of EDE Finance.
However, Lunaray Sec acknowledged that the vulnerabilities exploited during the attack were not within the scope of their initial audit. It was further confirmed that the identified vulnerabilities have since been rectified by the EDE Finance team.
Final Thoughts
This security breach of EDE Finance highlights the critical importance of thorough and comprehensive smart contract audits. As a leading security smart contract audit company, we understand the gravity of such incidents and the potential risks they pose to both project owners and investors.
At our company, we prioritize the meticulous assessment of smart contracts to identify vulnerabilities and strengthen the security infrastructure of projects. We commend Lunaray Sec for their diligent security audit of EDE Finance, which validated the project’s security measures within the scope of their evaluation.
However, we also have to acknowledge that the attackers managed to exploit vulnerabilities that fell outside the initial audit scope. This especially highlights the need for a comprehensive and holistic approach to security audits that encompasses a wide range of potential attack vectors.
Protecting the integrity of decentralized finance ecosystems is our mission, and we strive to empower project owners with the knowledge and security measures needed to thwart potential attacks. Contact us today to ensure your project receives the highest level of security scrutiny and fortification through our smart contract audit services.