According to Rubic Protocol, on December 25, one of its routing contracts was breached, forcing them to suspend contracts until the issue is investigated. When the Rubic cross-chain decentralized finance (DeFi) protocol was hacked, money kept in its users’ addresses was taken out and sent to the hackers.
We're continuing to update you, Rubicans.
Our contract became compromised because the USDC address was whitelisted to interact directly with Rubic. We're investigating the reasons why, but it was required to work with some of our providers.— Rubic (@CryptoRubic) December 25, 2022
The designers of the protocol also recommended that users utilize the revoke. Cash tool to cancel contract authorization. According to a Twitter thread from blockchain cybersecurity company PeckShield, a flaw in the Rubic protocol allowed money to be taken straight from the wallets that approved its smart contracts for $1.41 million.
Rubic @CryptoRubic is exploited (w/ ~$1.41M) https://t.co/ckAfQr9kgm
1,100 $ETH already into Tornado Cash from the exploiter https://t.co/yPkrC2hFCZ pic.twitter.com/25rLUcMbkf— PeckShield Inc. (@peckshield) December 25, 2022
The money was sent to the exploiter address via transactions utilizing the stablecoin USD Coin (USDC) on the Uniswap decentralized exchange (DEX). According to PeckShied, the exploit was feasible when USDC was unintentionally added to compatible routers. A malicious contract usage was further made possible by “a lack of validation in ruterCallNative.”
How did this come to be?
This comes after another firm, LastPass, was previously hacked, adding to the many recent hacks being witnessed. The ruterCallNative function has several possible flaws, including invalidated input for the “_params” and “_data” arguments, according to a brief brilliant contract analysis using chatGPT. These may let an attacker send malicious information that might cause improper or undesired behavior.
Furthermore, an attacker may be able to construct a contract and have it executed by the RubicProxy agreement if the “_gateway” option given to the function is unrestricted.
The attacker employed a specially created smart contract in the attack. The 337 lines of code the attacker used to carry out the attack as effectively as possible are visible in the decoded bytecode.
The Uniswap protocol siphoned off just USDC and exchanged it for wrapped ethereum in the first two transfers to the hacker’s address, totaling 1,161.55 and 26.88 ethereum (ETH) (WETH). This WETH was transferred to Tornado Cash, an authorized on-chain mixer, to anonymize the illegally obtained monies.
The hacker’s address was the source of $1.45 million in incoming transactions submitted to the coin anonymization service, out of a total incoming value for the benefit of around $2.9 million. In other words, the exploiter sent around half of the assets to the mixer today.
