Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?

We noticed an attack on governance (July 9th 2022)

Thanks to the ping from trent, samczsun and yambot.

Attacker

https://etherscan.io/address/0x4429abbf523bef0f1e934b04cff8584955c72548

Brief details

attacker uses multiple addresses https://etherscan.io/address/0x4429abbf523bef0f1e934b04cff8584955c72548 https://etherscan.io/address/0x0de41bdc58ffaf4a8c1b7084a544fbbe10a9de56 https://etherscan.io/address/0x3c749d3fce03ee5d7ff43ff09c9e07e9807e51f0 https://etherscan.io/address/0x0946969bc3be7e9b436a399c55dd3ffb029b0e95

malicious contract (interacts with yam, yam gov, yam incentivizer, sushi lp) https://etherscan.io/address/0x15515330e7c003dd4594b737165f2bf2ee671d82

200 eth in to their main address https://etherscan.io/tx/0xb4a367c30588dbb18ecb3845e665a66a298568e9a31d185eb581f1718ce15643

1- normal activity (few days ago)

actor https://etherscan.io/address/0x0de41bdc58ffaf4a8c1b7084a544fbbe10a9de56

they get yam then add liquidity on sushiswap and stake https://etherscan.io/tx/0x5dd604226553d677430f2cb5fa6e72b36cb6d9cd52f3c187be7bb31e7fdfe54f https://etherscan.io/tx/0x2fd4736f3c17ada5e13dd85e3a0c3f281c88d772457153cc53a35158a0ba3f87 https://etherscan.io/tx/0xbc14be9b7c5cff1c29522fb176fcd7218f929c866a792f8be4bb0944ad18466d

they get rewards https://etherscan.io/tx/0xf5279cb69c38a549466b7ab9d973f1f795fad124133981e427708f1396c3fed4

they exit stake and remove liquidity https://etherscan.io/tx/0x88ab30caf14729d6ee7f3a70a60b8c00b4a0514addd523bfce702f075569ea15 https://etherscan.io/tx/0xa0525aac2ed0c46c2a77c01ed15a88cdfee3dbc53939b6f563c54399eff86262

they swap yam to eth https://etherscan.io/tx/0xf5dbd43952c79e991569f3923d4a656d35f1cbc6ea89e6d938b2fc50d6a0ede3 https://etherscan.io/tx/0xa9261bbcdabb806e1f436e1789e5acc320573cb98f16416f220f05d1fcf8c212

2- semi-normal activity (recently)

actor https://etherscan.io/address/0x3c749d3fce03ee5d7ff43ff09c9e07e9807e51f0

they get yam then add liquidity on sushiswap https://etherscan.io/tx/0xaaa99de0c4055dcdfac1ccf7764bd5c952cba5ec9e371e77d3a13db7791e8bc8 https://etherscan.io/tx/0x12e177d5b1a99d2a9ff244b09a4cff3b7c0adf22d74d0857cdda355bec1ad0e7

they transfer the ownership of their stake to the contract https://etherscan.io/tx/0x0040285be4c3f184019e33f503b16f693053f72cef527ad5bf637659f4e4f29b

3- suspicious activity (recently)

actor https://etherscan.io/address/0x0946969bc3be7e9b436a399c55dd3ffb029b0e95

creates malicious contract https://etherscan.io/tx/0x4bdd2ed7b9e560ed1e690ffa7cf9f5467f09460af098bdd970031ec2a3b8769c

they delegate to the contract https://etherscan.io/tx/0x20a6153ccd11b3129be7539c13d1bacc624abf94ff07b2b46887cf6888abc9d5

they deposit into lp and stake https://etherscan.io/tx/0x44c4304bf9f35e9ce71857a91e130bbae3bd6ca77ed1c1dcbabaa65bd78028b6

while in the pool they propose the deployed malicious proposal https://etherscan.io/tx/0xc5e4dcfa927d099ffd12de2d6d5fb6ebb2d6ba2d6522a9adc36b5196e0ca0391#eventlog https://etherscan.io/address/0x15515330e7c003dd4594b737165f2bf2ee671d82

they vote on it https://etherscan.io/tx/0x60a4f4020bae19044eabfa2be0518a489935d285dddced5c5a01d335fc95caf3 with 224739 YAM quickly hitting quorum

they transfer the lp stake back to the actor address in 1- (who then exit swaping yam out to eth) https://etherscan.io/tx/0x7c517ee1f9a177a7282c3f0c9da27ffd029f8ee373298883811294e69c9d5668

Attack Summary

  • the attack on governance went on around July 7th 2022
  • they propose a malicious proposal, trying to change the admin of yam reserves
  • they try to misguide users to vote with the description of the proposal
  • we cancelled the malicious proposal
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment