Minterest Security Incident Post-Mortem Report

Date of Incident

July 14, 2024

Incident Summary

On July 14, 2024, between 16:24-16:28 UTC+3 Minterest experienced a security breach on its Mantle Network deployment involving the wallet address: 0x618F768aF6291705Eb13E0B2E96600b3851911D1.

The breach was identified by unusual activity related to transaction hash 0xb3c4c313a8d3e2843c9e6e313b199d7339211cdc70c2eca9f4d88b1e155fd6bd

and contract address 0x9B506584a0F2176494D5F9C858437b54DF97Bc06.

NB: Minterest Protocols on Ethereum and Taiko networks remain unaffected.

Vulnerability Identified

  • USDY token smart contract on Minterest
  • No other token market smart contracts on Minterest are affected

Impact

  • Exploit: $1.4M of $mETH and $WETH tokens were taken from Minterest’s deployment on Mantle Network
  • Liquidation Events: Manipulation of the exchange rates on the mUSDY market which led to the liquidation of users positions with collateral in this market 
  • Withdrawals for USDY: Reduced withdrawal amounts from the USDY market due to the manipulated exchange rate

Timeline

1. 16:31 hrs UTC+3 14.07.2024: Unusual Liquidation Event noticed.

2. 16:51-17:01 hrs UTC+3 14.07.2024: Initial detection of unusual activity by Sahan – our community manager – thanks to information by community member mist of an unusual liquidation, followed shortly by Hypernative Labs who reported the transaction as an exploit.

3. 17:22 hrs UTC+3 14.07.2024: Confirmation of security breach and identification of the suspect wallet address.

4. 17:27 hrs UTC+3 14.07.2024: Immediate suspension of supply and borrow operations on Mantle Network.

5. 17:54 hrs UTC+3 14.07.2024: Suspension of supply and borrow operations on other chains.

6. 20:42 hrs UTC+3 14.07.2024: Established war room with SEAL 911, a group of volunteer white hats to fight crypto hacks, and Blocksec. We wish to thank the Mantle Network team for acting quickly and putting us in touch with these teams.

7. 22:32 hrs UTC+3 14.07.2024: Paused all operations on Mantle Network once manipulation of USDY exchange rate was identified.

8. Between 20:42hrs UTC+3 14.07.2024 and 13:00hrs UTC+3 15.07.2024: Notifications sent to centralised exchange partners to freeze funds and suspend transactions.

9. 14.07.2024: Detailed investigation conducted to assess the extent of the breach.

10. 16:58 hrs UTC+3 18.07.2024: mUSDY reentrancy vulnerability is patched.

11. 19:27 hrs UTC+3 18.07.2024: mUSDY exchange rate is fixed.

12. 12:12 hrs UTC+3 19.07.2024: 10% Bounty for recovered funds posted on Arkham Intelligence.

13. 19:18 hrs UTC+3 19.07.2024: Base rate APY & APR are now set to 0% (paused) for the duration of Minterest’s pause in operations in an effort to support borrowers unable to manage their portfolio positions during this time.

14. 20.07.2024: MNT and MINTY emission rewards + MINTY staking rewards are active and accruing retroactively from July 14.

15. 23.07.2024: Remediation plan presented.

16. 24.07.2024: Liquidation fees for those impacted by liquidations on July 14 have been returned.

Root Cause Analysis

The attacker exploited the mUSDY market using a flashLoan and lendRUSDY via a reentrancy attack via the following steps, detailed thanks to Blocksec:

1. The attacker borrowed 4.265M USDY tokens from AGNI USDY/USDT pool via flashloan.

2. The attacker first borrowed 392.773K USDY tokens to manipulate the exchange rate by invoking the flashLoan function of the mUSDY contract, and then re-entered the lendRUSDY function (to borrow mUSDY tokens) within the flashloan callback function with the USDY tokens borrowed in step 1.

3. The attacker repaid the flashLoan, causing the exchange rate to return to normal. The attacker then invoked the redeemUnderlying function to redeem more USDY tokens to make profits.

4. The attacker repeated steps 2 and 3.

The attacker utilised the funds to borrow WETH and mETH, then transferred the stolen funds to Ethereum via the Stargate bridge:

WETH:

https://explorer.mantle.xyz/tx/0x5031e851a83e50725602110ba755f0e47cfb0790718125fe8fd29531ce1b1529

METH:

https://explorer.mantle.xyz/tx/0x53d694620fbe17cac1d06e5a89c1d12278d237692cc50aefc6c0479d8945a07f

The funds were finally converted to ETH via Squid Router:

https://etherscan.io/tx/0x6a78d9ae41e5254643410171bea70955b47c68d7d2b4bd960b4c3552ecacad84

Explanation

In the flashLoan function, funds are transferred to the caller, then the caller’s callback is executed, followed by a transfer of funds back with a fee. These token transfers change the market’s cash balance, which affects the exchange rate. In the callback function, the attacker converted USDY tokens to mUSD and lent them with lendRUSDY.

Because this loan was done between two token transfers inside a flash loan, a lower exchange rate was calculated, and the attacker received more mTokens than they should have. After that, they withdrew all of the underlying tokens.

During the withdrawal action, Minterest burns the amount of mTokens based on the correct exchange rate, thus the attacker withdrew his position but still had a number of unsecured mTokens.

After repeating the operation above in a loop 25 times, they reached the equivalent of $1.7M USD in the USDY market and used it to borrow the maximum possible amount from both the WETH and mETH markets.

Tracking Funds

The wallet address was initially funded by Tornado Cash, a mixer, and then used by both Stargate and Squid Router for cross chain transfers to Ethereum Mainnet.

https://metasleuth.io/result/eth/0x618F768aF6291705Eb13E0B2E96600b3851911D1

Suspect Wallet

Wallet address:

https://etherscan.io/address/0x618F768aF6291705Eb13E0B2E96600b3851911D1

Txn hash:

https://explorer.mantle.xyz/tx/0xb3c4c313a8d3e2843c9e6e313b199d7339211cdc70c2eca9f4d88b1e155fd6bd

Contract Address:

https://explorer.mantle.xyz/address/0x9B506584a0F2176494D5F9C858437b54DF97Bc06

Actioned

  • Breach Containment: Temporary suspension of all operations on the Minterest platform on all chains. No further exploit can occur. (Please note: While the exploit is local to Mantle Network, operations on Taiko and Ethereum are paused as well) 
  • CEXs: Reached out to key exchanges to flag the wallet address in order to freeze and recover any funds deposited
  • Suspect Wallet: Flagged the wallet address across major CEXs and Instaswappers, visible on Etherscan
  • Forensics Support: Working with SEAL 911, Blocksec, and other forensics firms to support the situation to reduce options for the attacker
  • Messaged Suspect Wallet: Attempting to open communication through on-chain messaging and on X

Immediate Next Steps

We are working to recover user funds for three key groups impacted:

1. USDY Holders

We anticipate full recovery for USDY holders that are supplied on Minterest. The goal is to return the contract state to the state before the exploit. Steps being taken include:

  • Patching the exploit vulnerability to allow safe use of the USDY/mUSD token market
  • Updating the exchange rate for the mUSDY market to allow accurate calculations when supplying, borrowing, repaying, and withdrawing for liquidity providers.
  • Enabling USDY holders access to their assets

2. Liquidated Users

We anticipate full recovery of missing funds. The goal is to recover user assets taken due to liquidation fees on 14 July. Steps being taken:

  • Tallying users impacted by liquidation events who used USDY as collateral
  • Calculating the liquidation fees
  • Repaying the liquidation fees

3. WETH/mETH Suppliers

We will continue to work around the clock to communicate with the attacker while working with white hats and law enforcement to recover lost funds and keep the community updated.

Note: The protocol UI may currently display incorrect supply and borrow amounts on the user dashboard while protocol operations are paused. We kindly ask affected users to be patient as we work diligently to resolve this issue promptly.

Conclusion

We remain committed to ensuring the security and integrity of our platform and will take proactive measures to protect our users’ assets.

For any questions or further information, please contact the mods on Discord/Telegram or send an email to nextlevel@minterest.com

Thank you for your patience and continued support!

15, July 2024