Hello! At 23:08 (SGT) on May 31, 2022, Defibox received a feedback from a user (account boxfan.mlt, itshaejinlee) saying that the lending protocol has high-risk vulnerabilities. Defibox team entered into emergency status immediately and suspending the lending and the USN Btoken generation function at 23:19 (SGT) on May 31, 2022. At present, the bug has been fixed and the contract has been opened. This incident satisfied Defibox Bounty Program standard. The incident and solution are described as follows:
Account boxfan.mlt deposits BOX through lending (contract lend.defi) and then borrow USDT, and then the account transfers BBOX to USN (contract danchorsmart) to generate USN. After the operation, (contract lend.defi) the collateral in that account is 0 and creates a bad loan. The detailed on-chain operation record TX ID is:
- Deposit BOX to the lending contract:
- Borrow USDT from the lending contract:
- BBOX transfers to the USN contract and generates USN:
(This step occurs the bug, and BTOKEN as collateral should not be allowed to transfer)
The user immediately reported to the Defibox executive team after finding the bug. The Defibox executive team immediately activated the emergency plan after confirming the existence of the vulnerability, suspended the lending function and the USN's Btoken minting function, and immediately repaired the vulnerability. Sign multi-sig, release production and open related contracts.
After discussion by the Board, the user who found the bug and gave feedback to the team in time prevented a greater losses for Defibox. It satisfied the bounty program standard and is rated as high risk. This bug affects the security of contract funds. The reserve fund will be used and the reward amount is $10,000.
The Defibox Security Bounty Program aims to motivate community developers to do vulnerability and stress tests on the protocols and products of Defibox, and to enhance the open source process of Defibox. We hope that every Defibox user can participate in Defibox project and help to build a better Defibox!
Reward distribution (converted to 7310EOS) TX ID：
Bounty Program: Click to view
Thank you for your support and attention to Defibox!
Defibox Project Executive Team
June 1, 2022