Zest Protocol Security Update
6
minute read
April 16, 2024
Tycho Onnasch
Zest Protocol is paused until further notice. User positions will be unaffected until the protocol opens again. More details on the path to opening below.
Security is at the heart of Zest Protocol’s design. Zest Protocol is the first lending market written in the Clarity smart contract language on Stacks. Until the Zest Protocol launch, routine lending operations in Clarity had never been battle tested in a production environment with real assets.
Bringing an innovative product to market requires great attention to detail. The protocol underwent full smart contract audit and has been running two bug bounty programmes in parallel since launch, more than any other protocol on Stacks. While it felt slow at times, the protocol saw a phased roll-out over the past two months with limited debt ceilings and users. Borrowable assets are the attack surface for lending protocols. Stacked STX (stSTX) the largest TVL asset that Zest Protocol holds, was not configured as borrowable to limit attack surface.
On the day that Zest Protocol launched to the public an attacker artificially increased the value of their collateral to borrow an amount exceeding the value of their position. The attacker removed 322k STX from the protocol. As soon as the attack was identified, Zest Protocol contracts were paused. stSTX funds are unaffected, as they were not configured as borrowable. The attacker didn’t touch any aeUSDC. The removed amount of STX is reimbursed from the Zest Protocol treasury and user balances remain unaffected (see STX funds here).
In the meantime, the walls are closing in on the attacker. A Binance withdrawal address has been uncovered that will reveal the identity of the attacker (see path below) and the full range of legal actions are currently being deployed.
Moments like these are what DeFi builders sign up for. We’re beta testing the future of the financial system by opening innovative products to real deposits. These are necessary steps towards building a robust and open financial future. It’s also good for the community that these events happen in a contained fashion. Smart contract auditors are put on notice to pay close attention, and other DeFi builders can draw lessons.
Opening Zest Protocol securely is now top priority. The smart contracts are undergoing a full re-audit. Auditors have started working to finish at the earliest possible date. When the protocol is relaunched, existing users will find their balances intact (and likely something special too).
For those who want to dig deeper into how the attack happened and the steps taken to mitigate, let’s dig in
Central to this exploit was the attacker's manipulation of the collateral list, an essential element in determining a borrower's capacity based on their pledged assets. By duplicating values within this list, the smart contract was tricked into overvaluing the collateral. Using multiple accounts, the attacker orchestrated a series of actions that led to the exploitation.
Key Steps in the Exploit:
- Collateral List Manipulation: The attacker's primary action was to manipulate the collateral list by repeating entries. This duplication caused the smart contract to overcalculate the total collateral value.
- Excessive Borrowing: The exploit was executed in 5 borrow calls with a repeating asset list. In these calls the attacker was able to borrow an amount substantially greater than what should have been allowed.
This exploitation led to a significant discrepancy between the actual and perceived collateral values, enabling the attacker to remove funds from the protocol using the borrow calls below:
The path that ties the attacker to a Binance withdrawal that happened before the attack:
One of the two XLink bridge transactions to get STX used by the attacker: https://explorer.hiro.so/txid/0x6ebbed26a19fd096f13ff50a7fac4865db5e16775ea24a4ecff4150a83421c27?chain=mainnet
The BTC that was swapped into STX over XLink above came from this Bitcoin transaction (output 3):
https://mempool.space/tx/4c91d658e87fcdc4c957303450ec2d10f9045a783aa75db988807eaf35f2de4a
The Bitcoin address that bridged BTC over XLink bc1qn7alfrla2jhyq7hzezjg9fe86t39m9z86mt9kl address
The Bitcoin address above has received a withdrawal transaction from Binance before the attack (0.01423400 BTC): https://mempool.space/tx/fb6e0a324bc2023dff6d8f4a80b3e6cd7ad1314fd0a54be93d48ea5ff0eeaa80
into bc1qn7alfrla2jhyq7hzezjg9fe86t39m9z86mt9kl
The owner of the BTC in the previous Bitcoin transaction is the address bc1qm34lsc65zpw79lxes69zkqmk6ee3ewf0j77s3h
bc1qm34lsc65zpw79lxes69zkqmk6ee3ewf0j77s3h is controlled by Binance (source: https://www.binance.com/en/blog/community/our-commitment-to-transparency-2895840147147652626)
All communications relating to the identity of the attacker should go to security@zestprotocol.com. If you are the attacker, you can email us to avoid distress.
