Explained: The Minterest Hack (July 2024)

In July 2024, Minterest was the victim of a hack in which the attacker stole an estimated $1.4 million in cryptocurrency from the protocol. The attacker used a flashloan attack and exploited a reentrancy vulnerability to exploit the Minterest smart contracts on Mantle Network.

Inside the Attack

The Minterest attack was an example of a price manipulation attack that was designed to manipulate the market’s exchange rates and take advantage of this for profit. To do so, the attacker exploited a reentrancy vulnerability in the project’s mUSDY contract on Mantel.

The attack began by taking a flashloan out, then borrowing USDY tokens from Minterest via its flashLoan function. By doing so, the attacker had funds transferred to them, triggering their fallback function and allowing them to run their own instructions. This flashloan also caused the market’s exchange rates to be changed since the market had a lower cash balance available to it.

When the Minterest contract called the attacker contract’s fallback function, the attacker converted USDY tokens to mUSD, then reentered the Minterest contract via its lendRUSDY function. When this loan was performed, the contract used the modified exchange rate caused by the attacker’s initial flashloan, resulting in excess mTokens being assigned to the attacker. 

Next, the attacker withdrew the underlying tokens associated with this loan, causing Minterest to burn some mTokens. However, this operation used the correct exchange rate, leaving the attacker with their excess mTokens.

By repeating this process multiple times, the attacker built up an estimated $1.7 million of mTokens in the mUSDY market. They used these tokens to borrow WETH and mETH from the protocol, enabling them to drain $1.4 million from the protocol. These actions also caused many user positions to be liquidated within the mUSDY market.

Lessons Learned from the Attack

The Minterest hack was made possible by a couple of different smart contract vulnerabilities. One was a price manipulation vulnerability in which exchange rates were updated immediately after a borrow, enabling a flashloan to manipulate these rates. The other was a reentrancy vulnerability in which an attacker could loan out tokens that they had previously borrowed from the protocol.

Price manipulation and reentrancy vulnerabilities are common smart contract security errors that can be identified and addressed via a comprehensive smart contract security audit. For help with protecting your on-chain project against these and similar threats, get in touch with Halborn.