In December 2021, Bent Finance was the victim of an internal attack.  A rogue developer inserted a backdoor into the contract that later allowed them to extract 513k cvxcrv LP tokens from it.

Inside the Attack

The Bent Finance hack was an insider exploit enabled by poor access controls.  Bent Finance contracts were deployed without multisig wallet contract ownership.  While the team was in the process of migrating over to multisig, an insider took advantage of non-multisig contracts.

The attacker targeted Bent Finance’s cvxcrv and mim pools and performed a series of updates to the contracts.  The goals of these updates were to hardcode a balance for a particular account via a backdoor and then conceal this modification by updating the contract with a non-backdoored version after the balance had been updated.

The attacker’s modifications to the code assigned a balance of 100000001000001 * 10^12 to address 0xd23cfffa066f81c7640e3f0dc8bb2958f7686d1f.  Once the contract’s balances were updated, replacing the backdoored code with a clean version has no impact on this balance.  This allowed the attacker to later withdraw this liquidity from the cvxcrv pool, draining it.

Lessons Learned From the Attack

The Bent Finance hack was made possible by poor access management in the project’s contracts.  The contracts were initially deployed to a non-multisig wallet, allowing anyone with knowledge of the appropriate private key to perform updates like the one that created the backdoor.  While the team tried to fix this issue, it was apparently a multi-day process as the rogue developer’s modifications occurred three days before the switchover.

DeFi contracts should always be deployed using multisig wallets to eliminate these single points of failure.  It is also important to properly protect the private keys used to control these contracts.

Rob Behnke
12.22.2021