Skip to content

Instantly share code, notes, and snippets.

@developerfred
Forked from ethedev/govattack-0722.md
Created July 9, 2022 21:32
Show Gist options
  • Save developerfred/684d99c1432887603150a3a04299d25c to your computer and use it in GitHub Desktop.
Save developerfred/684d99c1432887603150a3a04299d25c to your computer and use it in GitHub Desktop.

We noticed an attack on governance (July 9th 2022)

Thanks to the ping from trent, samczsun and yambot.

Attacker

https://etherscan.io/address/0x4429abbf523bef0f1e934b04cff8584955c72548

Brief details

attacker uses multiple addresses https://etherscan.io/address/0x4429abbf523bef0f1e934b04cff8584955c72548 https://etherscan.io/address/0x0de41bdc58ffaf4a8c1b7084a544fbbe10a9de56 https://etherscan.io/address/0x3c749d3fce03ee5d7ff43ff09c9e07e9807e51f0 https://etherscan.io/address/0x0946969bc3be7e9b436a399c55dd3ffb029b0e95

malicious contract (interacts with yam, yam gov, yam incentivizer, sushi lp) https://etherscan.io/address/0x15515330e7c003dd4594b737165f2bf2ee671d82

200 eth in to their main address https://etherscan.io/tx/0xb4a367c30588dbb18ecb3845e665a66a298568e9a31d185eb581f1718ce15643

1- normal activity (few days ago)

actor https://etherscan.io/address/0x0de41bdc58ffaf4a8c1b7084a544fbbe10a9de56

they get yam then add liquidity on sushiswap and stake https://etherscan.io/tx/0x5dd604226553d677430f2cb5fa6e72b36cb6d9cd52f3c187be7bb31e7fdfe54f https://etherscan.io/tx/0x2fd4736f3c17ada5e13dd85e3a0c3f281c88d772457153cc53a35158a0ba3f87 https://etherscan.io/tx/0xbc14be9b7c5cff1c29522fb176fcd7218f929c866a792f8be4bb0944ad18466d

they get rewards https://etherscan.io/tx/0xf5279cb69c38a549466b7ab9d973f1f795fad124133981e427708f1396c3fed4

they exit stake and remove liquidity https://etherscan.io/tx/0x88ab30caf14729d6ee7f3a70a60b8c00b4a0514addd523bfce702f075569ea15 https://etherscan.io/tx/0xa0525aac2ed0c46c2a77c01ed15a88cdfee3dbc53939b6f563c54399eff86262

they swap yam to eth https://etherscan.io/tx/0xf5dbd43952c79e991569f3923d4a656d35f1cbc6ea89e6d938b2fc50d6a0ede3 https://etherscan.io/tx/0xa9261bbcdabb806e1f436e1789e5acc320573cb98f16416f220f05d1fcf8c212

2- semi-normal activity (recently)

actor https://etherscan.io/address/0x3c749d3fce03ee5d7ff43ff09c9e07e9807e51f0

they get yam then add liquidity on sushiswap https://etherscan.io/tx/0xaaa99de0c4055dcdfac1ccf7764bd5c952cba5ec9e371e77d3a13db7791e8bc8 https://etherscan.io/tx/0x12e177d5b1a99d2a9ff244b09a4cff3b7c0adf22d74d0857cdda355bec1ad0e7

they transfer the ownership of their stake to the contract https://etherscan.io/tx/0x0040285be4c3f184019e33f503b16f693053f72cef527ad5bf637659f4e4f29b

3- suspicious activity (recently)

actor https://etherscan.io/address/0x0946969bc3be7e9b436a399c55dd3ffb029b0e95

creates malicious contract https://etherscan.io/tx/0x4bdd2ed7b9e560ed1e690ffa7cf9f5467f09460af098bdd970031ec2a3b8769c

they delegate to the contract https://etherscan.io/tx/0x20a6153ccd11b3129be7539c13d1bacc624abf94ff07b2b46887cf6888abc9d5

they deposit into lp and stake https://etherscan.io/tx/0x44c4304bf9f35e9ce71857a91e130bbae3bd6ca77ed1c1dcbabaa65bd78028b6

while in the pool they propose the deployed malicious proposal https://etherscan.io/tx/0xc5e4dcfa927d099ffd12de2d6d5fb6ebb2d6ba2d6522a9adc36b5196e0ca0391#eventlog https://etherscan.io/address/0x15515330e7c003dd4594b737165f2bf2ee671d82

they vote on it https://etherscan.io/tx/0x60a4f4020bae19044eabfa2be0518a489935d285dddced5c5a01d335fc95caf3 with 224739 YAM quickly hitting quorum

they transfer the lp stake back to the actor address in 1- (who then exit swaping yam out to eth) https://etherscan.io/tx/0x7c517ee1f9a177a7282c3f0c9da27ffd029f8ee373298883811294e69c9d5668

Attack Summary

  • the attack on governance went on around July 7th 2022
  • they propose a malicious proposal, trying to change the admin of yam reserves
  • they try to misguide users to vote with the description of the proposal
  • we cancelled the malicious proposal
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment