- Type: Exploit
- Network: Ethereum
- Total lost: ~6MM (lost: 3MM USDT + 3MM USDC + 2.95MM DAI, recovered: 3MM USDT, 1.95MM DAI)
- Category: Access Control
- Exploited contracts:
- Attack transactions:
- Attack Block: 12995895
- Date: Aug 10, 2021
- Reproduce:
forge test --match-contract Exploit_Punk -vvv
- Call
initialize
to set your ownforge_
address - Call
withdrawToForge
to withdraw tokens
The Punk protocol pools did not prevent someone from calling initialize
after
the contracts were already initialized.
The attacker called initialize
through the proxy and set their own forge_
address, which allowed them to later call withdrawToForge
, which, as the name implies, withdraws all the funds to the forge address.
function initialize(
address forge_,
address token_,
address cToken_,
address comp_,
address comptroller_,
address uRouterV2_ ) public {
}
initialize
functions should always be protected so they can be called only once