Dracula Protocol smart-contract bug and quality of FUD in community
As mentioned in my earlier response, we want to share with the community a bug.
SushiSwap code is fully audited.
However, today’s post is not about us, but about silly FUD and their role in the DeFi community as a whole. When we were reading a silly hype article we had the MasterVampire smart-contract investigated as a potential target for hacking, we’ve noticed another bug, this time with more serious ramifications.
We want to describe the vulnerability and a potential backdoor that was left by mistake, and may get forked multiple times in different projects. The bug itself may lead users to have all their staked liquidity stolen. A potential attack based on this is hard to implement, and it takes special preparations, plus owner rights on the initial stage of the launch. But it gives the ability to drain all funds for anyone with admin rights. Even under multisig and governance, it’s extremely hard to notice anything malicious in common transactions.
MasterVampire contract has a
deposit function that calls
deposit in the
VampireAdapter library. This
deposit function uses
delegatecall on the adapter contract.
Because of the
deposit function in the Adapter (or any new adaptor) is executed in the context of the
Let’s understand why using
delegatecall is irresponsible and possibly malicious.
Consider a malicious owner of the contract on the stage of deploying a new adapter for a very unpopular protocol, silently adds a few lines of code to the
deposit function. This doesn’t look suspicious at all because nobody cares about this protocol, so nobody checks the new adapter code.
But let’s image what will happen if after, say, the
TimeLock is finished and the pool is added. Barely anyone would have noticed these new pools being added, as people tend to believe it can only impact those new pools.
As a result,
delegatecall to deposit will lead to the malicious owner stealing all funds from all pools.
Recently a silly FUD and hype article was read many times by many people, but nobody seemed to understand this was a total non-issue.
We believe that the severity of the FUD is at least on a high level. The fact that it was overlooked by the community raises some serious questions about the role of the community in DeFi.
The fix for this is pretty simple, and it’s implemented in the Sushi Community. One simply needs to not believe everything that’s written in technical reveal style articles on Medium.
Nevertheless, we still lack an official FUD whacker for our project and invite anyone to reveal FUD for what it is.