TL;DR#
On February 23, 2024, Blueberry Protocol was exploited on the Ethereum Mainnet due to a smart contract vulnerability, which resulted in a loss of 457 ETH, worth approximately $1.34 million.
Introduction to Blueberry#
Blueberry provides tools for DeFi yield strategists to enjoy new on-chain capabilities and access more capital.
Vulnerability Assessment#
The root cause of the exploit is inconsistent usage of the price oracle feeds, which failed to accurately adjust the decimal precision of the underlying assets.
Incident Analysis#
We attempt to analyze the attack transaction executed by the exploiter.
The underlying assets of the affected markets within the Blueberry protocol used the below decimal precision.
blueberry Wrapped Bitcoin (bWBTC): 8 decimals
blueberry USDC (bUSDC): 8 decimals
blueberry OHM (bOHM): 8 decimals
However, the price oracle used by the protocol failed to account for the different decimal precisions of varying tokens. The current implementation of their price oracle uniformly returned prices with the same 18 decimals for all underlying assets.
The discrepancy between the price sources and the methods used for their respective normalization created a room for inconsistent logic for operations involving token prices.
As a result, the exploiter was able to deposit a single ETH (with 18 decimals) and, due to the oversight in accounting for the decimal differences among the tokens, extract a disproportionately large amount of the other underlying assets.
Aftermath#
The team acknowledged the occurrence of the incident and stated that the protocol has been paused to lessen the damage caused by the incident. All of the drained funds were front-run by a MEV bot and were safe in the Blueberry multisig. The team is in contact with the validator in hopes of recovering the remaining 91 ETH worth of assets. The total amount of drained assets amounts to roughly 457 ETH, worth $1,346,722, and so far, 366.55 ETH has been returned to the multisignature wallet.
Solution#
The incident with Blueberry Protocol serves as a stark reminder of the complexities and inherent risks associated with integrating oracles and managing asset valuation in DeFi protocols. Central to this incident was a critical discrepancy in how decimal precision was handled by the protocol's price oracle feeds, underscoring the urgent need for a robust solution to avert future exploits. Addressing this requires a nuanced approach: dynamically adjusting the oracle price based on the decimal precision of each underlying asset is paramount. This ensures that all interactions within the protocol involving price data standardize these adjusted prices to a uniform decimal precision, fostering consistency across the board.
To achieve this, a meticulous audit focused on the protocol's handling of decimal precision in price calculations is indispensable, complemented by comprehensive testing. This includes simulating a broad spectrum of transaction scenarios to affirm the robustness of these adjustments, ensuring that the protocol can withstand a variety of market conditions and user behaviors.
Moreover, the establishment of a routine for the continuous monitoring of oracle feeds is critical. This will facilitate the prompt identification of any discrepancies in decimal precision or price data, enabling swift corrective actions. The development of a flexible update mechanism is equally important, ensuring that the protocol can rapidly adjust its handling of decimal precision or update Oracle sources in response to detected vulnerabilities. This layered approach not only addresses the immediate issue but also strengthens the protocol's resilience, enhancing its security posture and safeguarding user assets against similar vulnerabilities in the future.
Despite following stringent security measures, the risk of vulnerabilities being exploited remains a constant threat. In such instances, Neptune Mutual plays a critical role. By creating a dedicated cover pool with Neptune Mutual, the negative impact of these incidents can be greatly reduced. Our expertise lies in offering protection against losses incurred from smart contract vulnerabilities through the use of parametric policies designed for these unique risks.
Partnering with Neptune Mutual streamlines the recovery process for affected users by eliminating the need for extensive loss documentation. Following the confirmation and resolution of an incident through our detailed incident resolution framework, our priority shifts to swiftly providing compensation and financial support to the impacted parties. This method ensures prompt aid for users affected by security lapses.
Our services span several major blockchain platforms, including Ethereum, Arbitrum, and the BNB chain, serving a broad spectrum of DeFi users. This extensive reach empowers us to deliver safeguards against a variety of vulnerabilities, bolstering security for our wide-ranging user community.
Reference Source BlockSec
