Fix for Metaswap exploit is live
- Metapools paused due to the exploit have been redeployed as V2 pools and live for deposits, withdraws, and swaps
- No LP funds were lost from to the exploit
- Metapool LPs need to take action to migrate their liquidity to respective V2 metapools (on saddle.exchange)
Metaswap attacker using Synapse stopped by quick action
On November 6 at 11:40 am EST, Socrates from Synapse Protocol contacted Sunil on Telegram. One of the team’s contributors had noticed a bad actor taking advantage of a bug in Synapse’s Avalanche nUSD metapool.
The exploit was possible due to a missing virtual price check on the _calculateSwap() function of the Saddle Metaswap implementation (used by the Synapse AMM). This allowed the attacker to continuously swapped from one asset to another within the same metapool without compensating for the liquidity removal in the first asset. A total of $8.2 million nUSD was drained from the pool, and the virtual price for nUSD within the pool was depegged and dropped by 12.5%.
By 11:52 am the Saddle Multisig had been alerted and at 5:23 pm the tBTC v2 metapool was paused to prevent similar issues. Saddle worked with the Synapse team to diagnose the problem and begin implementing a fix for the vulnerability.
Although funds were drained from the metapool, the attacker was unable to exit, because they attempted to withdraw funds using the (same) Synapse bridge, and was stopped by network validators. Synapse assured users in their post-mortem that the $8.2 million nUSD will be returned to the affected liquidity providers.
For a detailed post-mortem, see Synapse’s report on the incident here.
For a deeper and more technical look into the attack, see BlockSec’s report here.
Migrating to V2 metapool and next steps
Saddle LPs need to take action to migrate to the corresponding V2 metapool. Steps:
- If your tBTC metapool LP tokens are staked, first go to the Keep dashboard to unstake your position (from TBTC V2 + SADDLE)
- Find your tBTC metapool on the Saddle pools page, it’ll be labeled as Outdated
- Click on Migrate
- UPDATE: As of 01/07/2022, KEEP rewards have been migrated to this V2 metapool, so you'll probably want to go back to the Keep dashboard and stake your new LP tokens to earn rewards (in TBTC V2 + SADDLE Meta V2)
After Saddle’s post-mortem, we’ve taken a few action items to make sure our users and collaborators are protected:
- Increased the size of our gnosisSafe multisig from 3/5 to a 3/7, to include Aurelius from Synapse and Scoopy from AlchemixFi to improve our response time
- Created a Telegram group for teams using Saddle code for faster comms
- Prioritized formal verification of smart contracts with Certora
- Paid out $50,000 Immunifi bug bounty to vulnerability discoverer
A win for the Saddle community and OSS
The incident provided a valuable opportunity to strengthen Saddle’s security and that of projects who rely on its codebase. Altogether, this was the best of all possible outcomes: None of Synapse’s LPs lost funds in the exploit and we were able to improve our Metaswap implementation to make it safer.
Thwarting the attacker and fixing the vulnerability showed how multiple projects and users of different DeFi protocols can benefit equally from each other, thanks to open-source code (OSS) and collaboration. Improvements made in one codebase help to make better products across a whole ecosystem, once again proving the benefits of a Web3’s composability.
Learning more about Saddle’s partners and ecosystem here.