In March 2022, Paraluni, the metaverse financial project, was the victim of an attack.  The attacker exploited a reentrancy vulnerability within the project’s smart contract to steal approximately $1.7 million in tokens.

Inside the Attack

The Paraluni hack was made possible by a reentrancy vulnerability within the contract’s depositByAddLiquidity function.  The attacker was able to exploit this vulnerability using a specially-crafted contract that contains a malicious transferFrom function.

The depositByAddLiquidity function calls an internal depositByAddLiquidityInternal function that transfers the attacker’s deposit into the appropriate pool.  However the pool ID value (_pid) used to look up the appropriate pool is not validated internally.

The attacker takes advantage of this by directing this to an attacker-controlled contract, whose malicious transferFrom function is called.  This function then exploits the reentrancy vulnerability to call the Masterchef deposit function before the internal state is updated.  Between the initial and malicious deposits, the attacker is credited with excess tokens and able to extract more value from the contract than they deposited.

Lessons Learned From the Attack

This attack was enabled by two vulnerabilities: failing to validate user input (_pid) and a reentrancy vulnerability.  Both of these are well-known types of vulnerabilities and could have been detected and prevented by a smart contract audit.

Rob Behnke