https://samczsun.com/escaping-the-dark-forest/

On September 15, 2020, a small group of people worked through the night to rescue over 9.6MM USD from a vulnerable smart contract. This is our story.

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/9ad9b95d-9e48-4257-b949-820dcaf5b96b/109768371_xl.jpg

I was about to wrap up for the night when I decided to take another look at some smart contracts.

I wasn’t expecting anything interesting, of course. Over the past few weeks I had seen countless yield farming clones launch with the exact same pitch: stake your tokens with us and you could be the next cryptocurrency millionaire. Most were simply forks of well-audited code although some tweaked bits and pieces, sometimes with catastrophic results.

But amidst all of the noise there was some code I hadn’t seen before. The contract held over 25,000 Ether, worth over 9,600,000 USD at the time, and would be a very juicy payday for anyone who managed to find a bug in its logic.

I quickly looked through the code for where Ether is transferred out and found two hits. One of them transferred the Ether to a hardcoded token address, so that could be ignored. The second was a burn function that transferred Ether to the sender. After tracing the usage of this function, I discovered that it would be trivial for anyone to mint tokens to themselves for free, but then burn them in exchange for all of the Ether in the contract. My heart jumped. Suddenly, things had become serious.

Some digging revealed that the contract I had found was part of Lien Finance’s protocol. Unfortunately, their team was anonymous! The only IM platform they supported was Telegram, and I couldn’t be sure that the admins of that channel were actually protocol developers or just a few early supporters. The last thing I wanted to do was accidentally leak the exploit to the wrong person.

After browsing their website a little while longer, I noticed that they had worked with ConsenSys Diligence and CertiK for an audit. This seemed like a good avenue, since both ConsenSys and CertiK must have interacted with the developers during their audits. I quickly pinged maurelian on Telegram.

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/73a86d2c-120a-4bc5-93a4-e9a854052c20/image.png

You never want to be on the receiving end of this message

Unfortunately, time ticked on, my heart kept pounding, but there was no response from maurelian. It seemed like he had already gone to sleep. Desperate, I sent a message to the ETHSecurity Telegram channel.

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/fee458c2-c882-4e88-b7bb-dbd74628952c/image-1.png

Artist's rendering of the message, since I deleted the original

Within minutes, I got a message from someone I’d worked with quite a few times in the past - Alex Wade.

My head had just hit the pillow when I got a knock on my door. It was my roommate: “Sam’s in the ETHSec Telegram asking for anyone from Diligence.”

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/25b682f7-b676-4202-ad0e-145c4fc270a8/image-2.png

It was, in fact, a long night

Knowing Sam, this couldn’t be good. I found a channel we’d set up with Lien a few months ago and an email address. Better than nothing, given their team was anon.