In August 2021, the Neko Network, an experimental network of the Maze Protocol running on the Binance Smart Chain (BSC), was the victim of an attack.  The attacker managed to steal over $4 million in stablecoins from the protocol.

Inside the Attack

The Neko Network is a lending protocol which allows users to mortgage their assets as collateral for loans.  The attacker exploited a vulnerability in the Neko Network’s MainPool smart contract that allowed them to mortgage assets in the name of other users of the Neko Network.

The vulnerability existed because the smart contract used a variable named onBehalfOf to determine whose assets to mortgage for a loan but the transferUnderlyingTo function sends the borrowed cryptocurrency to the account that initiated the transaction.  

By calling the vulnerable contract with the address of a user with borrow credit remaining, the attacker could mortgage that user’s assets while receiving the borrowed funds to their address.

The attack revealed insider knowledge of the Neko Network smart contract as the code has never been open-sourced and some of the attacking contracts were launched roughly five days before the vulnerable contract.  

Since the attack, the attacker has returned $3.8 million of the stolen assets, eliminating the impact to all but one of the attack’s victims.

Lessons Learned From the Hack

The Neko Network attack was made possible by a mismatch in the smart contract code between the account being mortgaged for the loan and the one that received the borrowed funds.  This issue was overlooked despite the fact that the code underwent two security audits.

One area of concern about the Neko Network’s contract is that it was not open-sourced prior to the hack.  While this made it possible to determine that the attack was an inside job, it also means that users of the protocol had no opportunity to review the code before investing.  This lack of transparency increased the risk to users and made it impossible for the vulnerability to be discovered and ethically reported by whitehat security researchers.

Rob Behnke