31 million U.S. dollars were maliciously siphoned away. Will Binance roll back BSC for users?

Note: The original text comes from rekt.

In retrospect, this was inevitable.

This is the first impressive attack on Binance Smart Chain (BSC), with Meerkat Finance’s lost funds ranking third on the list.

After just one day of operation, Meerkat Finance swindled 13 million BUSD and approximately 73,000 BNB, with the total funds currently involved being approximately US$31 million.

We have been observing the Binance Smart Chain, and its network seems to be replicating the development trend of Ethereum DeFi in the summer. When some project parties built up enough capital through copied code, they ran away with the money (rug pull) phenomenon.

The follow-up to this incident will be very interesting.

Will CZ and his team roll back their company chain, or just let users suffer the losses?

Such a scam leaves thieves with nowhere to hide, where can they go on such a chain? Binance shut down the bridge, and even bscscan.com was down for a while. Was it too much traffic, or some type of smokescreen?

Meerkat Finance initially claimed that this was a hack, but then the project deleted their accounts, leaving BSC users to blame themselves or Binance.

Thanks to 0xdeadf4ce for the help.

1. Meerkat Finance deployers upgraded 2 of the project’s vaults.

2. The attacker address calls the permissionless initialization function through the Vault proxy, effectively allowing anyone to become the owner of the Vault [2].

3. The attacker then drained the treasury by calling a function with signature 0x70fcb0a7, which accepted a token address as input. Upgrading to a decompilation of the smart contract showed that the only purpose of the called function was to remove funds in favor of the owner.

Generally, if the contract has a function that allows the owner to actively withdraw assets used in the strategy/vault, then you are trusting the project team.

And they can choose to run away at any time.

This is why projects like yearn add check functions as shown below so that the project can only withdraw funds that have not been used by strategies/machine gun pools.

Both affected vaults used OpenZeppelin’s transparent proxy upgrade mode, which allows upgrading the Vault logic to a new logic implementation by calling the upgradeTo(address newImplementation) function on the Vault proxy level.

The previous implementation of the BUSD vault was deployed at 0x49509a31898452529a69a64156ab66167e755dfb, and the previous implementation of the WBNB vault was deployed at 0x3586a7d9904e9f350bb7828dff05bf46a18bb271, both of which were fairly unremarkable.

The Meerkat Finance deployer called the upgradeTo() function twice:

1. At block height 5381239, the WBNB Vault implementation address is set to 0x9d3a4c3acee56dce2392fb75dd274a249aee7d57;

2. At block height 5381246, the BUSD Vault implementation address was set to 0xb2603fc47331e3500eaf053bd7a971b57e613d36;

This changes the vault logic, introducing two notable functions that were not part of the original implementation.

1. init(address owner)

2. According to the decompiled bytecode, this function sets the address on storage slot 0 to the address provided to the function;

Without requiring permission checks, this newly added function becomes the ultimate backdoor for attackers to break into the vault.

Using a specific Initializer pattern in a transparent proxy is a best practice and was applied in the first Vault implementation, so the intention of adding an init() method other than planning to steal Vault funds is highly questionable.

• 0x70fcb0a7 (address _param1)

The source code is not available, and decompiling the source is limited to checking if the caller is equal to storage slot 0 set in the init() method, and using the vault address as the query target to roll out balanceOf() on the token contract that comes with param1. Both of these functions were not part of the previous Vault implementation.

Comparing the bytecode size of the new and old implementations, we can find that the bytecode size of the new implementation is only 1/4 of the previous logic.

Since the upgrade was completed by the Meerkat Finance deployer, considering all aspects of the on-chain data, the most likely scenario for this incident is a deliberate runaway incident, and the possibility of private key leakage is very small.

As of the time of this post, portions of the stolen funds have been distributed to different addresses and sent to what appears to be the Binance Bridge, which is hosted by the Binance exchange.

The Binance.org bridge is currently suspended, likely to prevent funds from being easily transferred to other blockchains.

Timeline (March 4, 2021)

1. At 08:53:10 UTC on March 4, 2021, the Meerkat Finance deployer changed the WBNB vault to contract 0x9d3a4c3acee56dce2392fb75dd274a249aee7d57;

2. At 08:53:31 UTC on March 4, 2021, the Meerkat Finance deployer changed the BUSD vault to contract 0xb2603fc47331e3500eaf053bd7a971b57e613d36;

3. On March 4, 2021 at 08:54:31 UTC, the attacker called the 0x70fcb0a7 method on the BUSD vault to transfer 13,968,039 BUSD

4. On March 4, 2021 at 08:54:55 UTC, the attacker called the 0x70fcb0a7 method on the WBNB vault to transfer 73,635 WBNB

The same trick happened on a different chain, but the balance of power was different. Under CZ’s watch, the bridges were burned and the bandits had nowhere to hide.

Even in the Meerkat_Rugpull Telegram group, there was no consensus among chat members on how Binance should handle the situation.

Will Binance roll back the blockchain and return the money to users?

The answer is not so clear cut, the 21 mysterious validators could theoretically arrange a refund, but it is unlikely and would only fuel CeDeFi’s problems and create more work for the (probably already stressed) BSC lawyers.

How Binance handles this incident may set a precedent.

Although this is not the first case of absconding with funds on BSC, it is the first since the rise of PancakeSwap and the one involving the largest amount of money.

Therefore, we find that the protocol on BSC is no more secure than on Ethereum.

CZ will not save you, their deals are indeed cheaper but there is no original development.

Once Ethereum Layer 2 is launched, what will the BSC enterprise chain look like?