February ‘24 Incident: Post-mortem, Mitigation & Remediation

Affine Protocol’s Boosted ETH Staking basket on Ethereum Mainnet faced a sophisticated flashloan attack on February 1, 2024. The hacker was able to exploit our experimental strategy contract in public beta and take 38.93 ETH from the contract by forcing it to receive a flashloan.

The core team has since made active efforts to recoup the funds and has developed a remediation Plan for the affected users. The article aims to provide a post-mortem of the incident and the remediation and mitigation plans following the incident. We appreciate the community for their continued support through this incident.

Incident Summary

The attacker took advantage of a flashloan callback function in the strategy contract. Since the callback was externally facing and permission-less, the attacker had forced the strategy contract to receive a flashloan, thus forcing the contract to liquidate its position and send the funds to the address specified in the callback.

Exploit Txn: https://etherscan.io/tx/0x03543ef96c26d6c79ff6c24219c686ae6d0eb5453b322e54d3b6a5ce456385e5

Response

Our first response was to immediately pause all vulnerable vaults, including Boosted MATIC Staking (10x) and Boosted ETH Staking, and withdraw funds from their respective strategy contract to close off the attack vector. Because the attack vector relied on exfiltrating funds from the strategy contract, withdrawing funds back to the secure vault resulted in rescuing all the vulnerable funds in the Boosted MATIC Staking strategy.

The core team also joined a “war room” where we could communicate and seek help from various partners, security professionals, and stakeholders. This group was invaluable in keeping a clear line of communication with our community. We especially appreciate help from teams such as seal911, SphereX, and offside labs.

Affine then posted a series of tweets and discord announcements updating the community on the exploit and our findings.

Exploit Costs

Only the Boosted ETH Staking was affected, the MATIC funds were saved due to the team’s quick response.

Strategy Address: 0xcd6ca2f0d0c182c5049d9a1f65cde51a706ae142

Losses: 38.93 ETH

Fund Recovery Attempts

On Feb-01–2024 01:56:35 PM +UTC, the Affine team sent an on-chain message to the Hacker and the wallet they offloaded the funds to.

https://etherscan.io/tx/0x8b0cf1019933e0f8bd51ad29158c2cc11a21cef2f6771d997b561eb86be70d96

https://etherscan.io/tx/0xf30607c1292e3480bf4cb5557548bccead01faaebc1eda0ddcfb07eb6d7191e3

On Feb-02–2024 03:05:35 PM +UTC the team sent subsequent messages as a last warning to the hacker.

https://etherscan.io/tx/0xe2203fcb1db5560150e2f89d2ebd3c479460fda3628cf67ab6165ccba48edfa2

Mitigation

Although we already have a design codebook in place for our contract review and design processes, we’re implementing a more stringent playbook in specific areas to enhance our procedures. Additionally, we’re introducing a tiered audit by Total Value Locked (TVL) cap limit, which will expedite our ability to identify product-market fit.

Contract Design:

• Implementing a significantly stricter playbook for contract access control including no outside access except designated methods and no assets transfer outside of the system.
• Any external call in the system should be checked end to end for asset transfer with all possible conditions.
• Setting up asset approval as required.
• Introducing access-controlled fund transfers within the system through a fixed address list.

Code Review:

• While we conduct regular internal code reviews, we’re now enforcing these reviews with a rigorous playbook checklist for access control and fund transfer requirements.
• These must be completed before any contract deployment.

Tiered Audit:

• Each vault will now have a TVL cap, gradually increased over time. With each increase in TVL cap, more thorough audits will be conducted beforehand.
• TVL < 20K: Internal code review and audit.
• TVL < 50K: External audit conducted by an independent auditor outside of the Affine Engineering team. Bug bounty program initiated.
• TVL < 100K: Audit and review performed by an independent team, with the audit report and team details published.
• TVL > 200K: Official audit initiated, followed by incremental updates to the cap (e.g., 1M, 2M …).

We will publish our new enhanced security practice guideline for the community in a week. We are primarily investing in —

a) putting stricter access control on fund movements

b) continuous audit / community bug bounty

c) ensuring 3 levels of audit steps, based on TVL, to ensure we move fast, while providing adequate safety for our users.

Remediation Plan

We want to express our apologies to the community that we let you down and that users lost funds due to this unexpected incident. We are determined to do right to our users by compensating them for their losses.

Our plan for compensation will be the following:

1. All affected users and their values lost will be posted here.

2. We are announcing two refund plans for the users to choose from:

Early Refund: At least 60% or more of the affected funds will be refunded from the Affine Treasury within next 1 month (by March 15, 2024)

100% Refund: 100% of the affected funds will be refunded within 1 year (by February 11, 2025) in 4 payments made at the end of every 3 months.

3. The affected users will be able to choose their refund plan from this protocol page: app.affinedefi.com/boosted-eth-refund

4. In case of recouping the funds, all the users will receive proportionate share of the lost funds in ETH.

To help the users to receive support and provide updates we have opened a dedicated channel on discord for the incident: https://discord.gg/NHK2YS7N

Moving Forward

Moving Forward, as a team, we will be placing a much greater emphasis on safety, in all areas of the code, including both smart contract and off-chain bots. Going forward, we will have much more thorough checks and review procedures to ensure this mistake is not repeated.

We understand that anything short of immediate full recovery may be a disappointment to those affected; however, we are absolutely determined to do right to our users and partners in providing a remedial solution that will ensure public confidence in Affine.

As a final note, we want to thank all our users, partners, and stakeholders for sticking with us through the most difficult of times. Words cannot express how grateful we are for the outpouring of support we received. The team is more motivated than ever to continue the success of Affine and our community.

FAQ

Are the other baskets safe?

Yes. The other baskets have been reviewed and were not affected in this incident.

Is the Boosted MATIC Staking Basket safe?

Yes. The Boosted MATIC Staking Basket was reaudited and code reviewed by external auditors after the attack and is now completely operational.

Where can I get the refund?

You can choose your refund plan here: app.affinedefi.com/boosted-eth-refund

What are the refund plans?

You can choose from two options: Early Refund (get at least 60% returned within 1 month), and 100% Refund (get 100% refunded in 4 quarterly installments in 1 year)

Why not compensate all the victims immediately?

We want to take the time trying to recoup the funds. And for the refund we want to take an approach that is standard in the industry.

When can affected users expect to be fully reimbursed?

If you choose the “Early Refund” option, you can expect at least 60% refunded within 1 month.

If you choose the “100% Refund” option, you can expect to get fully reimbursed within 1 year (by February 11, 2025)

However, if any lost fund is recouped, you will be refunded proportionately according to your share in the pool.

Why is the KYC needed?

KYC is essential to prevent legal liabilities that may arise if the refunded assets (ETH) are used for illicit activities. The core team mandates KYC to ensure a secure and compliant refund process. Affine Labs, its subsidiaries, or affiliates will never sell or share this data to third parties, unless requested by the law enforcement authorities.