ethedev/govattack-0722.md

## govattack-0722.md

      
    Raw
  

              govattack-0722.md
            
          
    We noticed an attack on governance (July 9th 2022)

Thanks to the ping from trent, samczsun and yambot.
Attacker

https://etherscan.io/address/0x4429abbf523bef0f1e934b04cff8584955c72548
Brief details

attacker uses multiple addresses
https://etherscan.io/address/0x4429abbf523bef0f1e934b04cff8584955c72548
https://etherscan.io/address/0x0de41bdc58ffaf4a8c1b7084a544fbbe10a9de56
https://etherscan.io/address/0x3c749d3fce03ee5d7ff43ff09c9e07e9807e51f0
https://etherscan.io/address/0x0946969bc3be7e9b436a399c55dd3ffb029b0e95
malicious contract (interacts with yam, yam gov, yam incentivizer, sushi lp)
https://etherscan.io/address/0x15515330e7c003dd4594b737165f2bf2ee671d82
200 eth in to their main address
https://etherscan.io/tx/0xb4a367c30588dbb18ecb3845e665a66a298568e9a31d185eb581f1718ce15643
1- normal activity (few days ago)

actor
https://etherscan.io/address/0x0de41bdc58ffaf4a8c1b7084a544fbbe10a9de56
they get yam then add liquidity on sushiswap and stake
https://etherscan.io/tx/0x5dd604226553d677430f2cb5fa6e72b36cb6d9cd52f3c187be7bb31e7fdfe54f
https://etherscan.io/tx/0x2fd4736f3c17ada5e13dd85e3a0c3f281c88d772457153cc53a35158a0ba3f87
https://etherscan.io/tx/0xbc14be9b7c5cff1c29522fb176fcd7218f929c866a792f8be4bb0944ad18466d
they get rewards
https://etherscan.io/tx/0xf5279cb69c38a549466b7ab9d973f1f795fad124133981e427708f1396c3fed4
they exit stake and remove liquidity
https://etherscan.io/tx/0x88ab30caf14729d6ee7f3a70a60b8c00b4a0514addd523bfce702f075569ea15
https://etherscan.io/tx/0xa0525aac2ed0c46c2a77c01ed15a88cdfee3dbc53939b6f563c54399eff86262
they swap yam to eth
https://etherscan.io/tx/0xf5dbd43952c79e991569f3923d4a656d35f1cbc6ea89e6d938b2fc50d6a0ede3
https://etherscan.io/tx/0xa9261bbcdabb806e1f436e1789e5acc320573cb98f16416f220f05d1fcf8c212
2- semi-normal activity (recently)

actor
https://etherscan.io/address/0x3c749d3fce03ee5d7ff43ff09c9e07e9807e51f0
they get yam then add liquidity on sushiswap
https://etherscan.io/tx/0xaaa99de0c4055dcdfac1ccf7764bd5c952cba5ec9e371e77d3a13db7791e8bc8
https://etherscan.io/tx/0x12e177d5b1a99d2a9ff244b09a4cff3b7c0adf22d74d0857cdda355bec1ad0e7
they transfer the ownership of their stake to the contract
https://etherscan.io/tx/0x0040285be4c3f184019e33f503b16f693053f72cef527ad5bf637659f4e4f29b
3- suspicious activity (recently)

actor
https://etherscan.io/address/0x0946969bc3be7e9b436a399c55dd3ffb029b0e95
creates malicious contract
https://etherscan.io/tx/0x4bdd2ed7b9e560ed1e690ffa7cf9f5467f09460af098bdd970031ec2a3b8769c
they delegate to the contract
https://etherscan.io/tx/0x20a6153ccd11b3129be7539c13d1bacc624abf94ff07b2b46887cf6888abc9d5
they deposit into lp and stake
https://etherscan.io/tx/0x44c4304bf9f35e9ce71857a91e130bbae3bd6ca77ed1c1dcbabaa65bd78028b6
while in the pool they propose the deployed malicious proposal
https://etherscan.io/tx/0xc5e4dcfa927d099ffd12de2d6d5fb6ebb2d6ba2d6522a9adc36b5196e0ca0391#eventlog
https://etherscan.io/address/0x15515330e7c003dd4594b737165f2bf2ee671d82
they vote on it
https://etherscan.io/tx/0x60a4f4020bae19044eabfa2be0518a489935d285dddced5c5a01d335fc95caf3
with 224739 YAM
quickly hitting quorum
they transfer the lp stake back to the actor address in 1- (who then exit swaping yam out to eth)
https://etherscan.io/tx/0x7c517ee1f9a177a7282c3f0c9da27ffd029f8ee373298883811294e69c9d5668
Attack Summary


the attack on governance went on around July 7th 2022
they propose a malicious proposal, trying to change the admin of yam reserves
they try to misguide users to vote with the description of the proposal
we cancelled the malicious proposal