ChargeDeFi security incident
--
Incident: 60/40 vault exploit
Incident Time: 18th December 2021 07:12 UTC
Impact: $1,16m (2185.6 Charge)
Compensation: Full repayment of tokens plus $50 BUSD per Charge token lost.
Background
ChargeDeFi is an algorithmic stablecoin project with rebase mechanics launched on the Binance Smart Chain (BSC). All the original contracts of Charge are written from scratch and have been audited by Certik. There is no (known) vulnerability in those contracts.
Post Launch/Certik Audit
Following the launch and our audit, Charge decided to add 2 auto-compounding vaults
- $Static-BUSD vault
- $Charge vault
If an investor stakes into the $Static-BUSD vault 40% of that stake is swapped into $Charge and staked into the $Charge vault. Both vaults are auto-compounding. The $Charge vault additionally has a 48hr lock window and a 2 hour unlock window. During this unlock window the vault is compounded and investors can take out their earnings. After this window, the vault is locked again for 48 hours.
These vaults are simple and so we decided to look around for these in other projects. We decided to fork from Grim.Finance for the 60/40 auto-compounding vaults, which had been audited by Solidity Finance and had a substantial TVL. In particular, the audit report states that reentrancy protection is in place.
Placing trust outside of Charge, and bypassing our usual security processes and standards of only using Certik, is the fundamental mistake we made that led to the exploit within Charge. We should never have relied upon Grim.Finance or the Solidity Finance Audit Report. After the exploit, our devs looked at the vaults further and found them to be containing several security issues.
Within this report, we include our timings on notifying Grim.Finance of the exploit. This is shared for full transparency and in no way excuses ChargeDeFi for the issues caused in our own project.
Summary Timings
Here is a summary of the timings but a full detailed log is shared at the end of this article.
Damage
The exploiter managed to take out 2185.6 $Charge tokens at a value of $530 at the time of the exploit. It was traded for BUSD and then swapped to 955 WBNB. The value of this transaction was approximately $520k. The amount the attacker received for his $Charge was lower than the $1.16m value of the stolen tokens. This is due to limited liquidity. As the attacker sold off his tokens the price dropped fast.
Compensation
As soon as we knew the site was safe, informed possible targets and contacted investigation agencies, we moved on to a compensation plan to try and settle investors concerns. We considered various methods of compensation but had to consider the damage each route could put upon the ecosystem.
We settled on the following:
1) ChargeDeFi builds a list of affected wallets and their lost Charge tokens, which is then shared with the community for cross-checking.
2) Affected wallets will receive an equal amount of Charge tokens over a period of approximately 30 days. A special farm pool will be set up for this. This is a normal farm pool for wallets that have lost their Charge, not for other stakers. During this 30 day period, the farm will yield Charge that can be claimed at any time.
3) After these 30 days all lost Charge will be compensated for.
4) Affected wallets will also receive an airdrop of $50 BUSD per Charge lost, on top of regaining their original Charge.
The Charge used in this compensation method will be supplied by the project wallet. No extra Charge will be minted, the team has decided to supply this from the daily balance of Charge sent to the project wallet.
As an extra balance measure Charge team members will not increase their Charge stake in the ChargeDeFi boardroom. This will balance APR’s.
Areas to improve upon
Security Process
We have a strong development team who are often used to audit other projects and code. We made a fundamental mistake in taking an audited vault from elsewhere and assuming it was safe. This is a mistake that should have never been made.
We immediately implemented these measures:
- All contracts/code will be fully audited by our own team first.
- All contracts which hold funds will be audited by Certik or will have gone through rigorous testing by suppliers with the same security reputation.
- When using external contracts we will only use contracts that have an up-to-date audit.
- No unaudited code will be added to ChargeDeFi.
- Previously unreleased code (self-written) has been shared with Certik for an expedited audit.
Response Times
We have global timezone coverage with our mods and the core team. It took 25min for a core team member to respond and a further 25min to pause the vaults. The damage was already done but it would have been more reassuring to the investors if a core member was online faster. While the core team is doxxed to each other, the mods didn’t have a way to get hold of us other than via chat.
- We’ve implemented a way for all team members to contact Core team members in case of an emergency. This will speed up response times.
- Certik was contacted through our contact and not through official ways. Using official channels would have improved the response time.
Social monitoring and activity.
Scam attempts on social channels (Telegram, Discord, Twitter) are commonplace in DeFi. We feature regular warnings but the news of the exploit attracted a lot of scammers to our channels. Also, our Twitter activity was less than our telegram and discord updates. A large portion of our investors isn’t always aware of Telegram or Discord. So this will be changed.
- Continuous warnings of scam attempts during a situation of stress are implemented.
- Regular monitoring of the channel members to see if there are fake/scam accounts that try to pose as a mod/admin or Core team member inside the channel.
- New incident process where all channels are informed, not just a focus on Telegram and Discord.
Outlook on Charge
We can’t provide enough credit to the strength of our community who remained patient throughout this entire process, allowing us to work through our actions. They were extremely helpful to each other as people learned of the news. On top of this, we are thankful to our mod team, who remained professional throughout and strived for continuous communication to reassure investors.
We hope everyone understands that we do take security seriously and that is why we used Certik to audit all our core contracts. But on the addition of the vault, we made a fundamental and regrettable mistake. We have done all we can to compensate all affected. And more importantly, we have learned from this experience.
The ChargeDeFi team remains humbled by the show of support and will continue to deliver to the highest standards you are used to and expect from us.
Thank you again to our community, we wouldn’t be here without you!
Detailed Timeline
18th December 2021 UTC
(07:12 UTC) The new $Charge vault is suddenly drained of tokens. Multiple wallets are part of this transaction. Just a fraction of the vault content remains when it unlocks after its 48hr window.
The attacker used the following wallets to create contracts and set up the transactions:
https://bscscan.com/address/0x1efa88baf64097b53a2c46e00fa6944dbebb9298 https://bscscan.com/address/0xca1f810d5ebac48e18daa343fa729a3beb78a4f3 https://bscscan.com/address/0xa9f55dca11bf5deffb3526a6ca20206672237220
(07:20 UTC) First signs of issues and people contacting ChargeDeFi team members about missing Vault tokens.
(07:27 UTC) ChargeDeFi Mods relayed the info to the rest of the team.
(07:37 UTC) Telegram announcement. Informing channel members that we are getting hold of the developers.
(07:38 UTC) The Core team has been made aware of a potential issue and are investigating.
(08:03 UTC) 60/40 vaults are paused, preventing further abuse. Most of the contents have been drained.
(08:03 UTC) 2nd announcement in Telegram. We asked the community to revoke the vault from their permission list while the investigation continues.
(08:04 UTC) ChargeDeFi mods assist users in revoking permissions.
(08:18 UTC) Contacted tornado.cash as they were used as a proxy to transfer the BNB gained.
(08:21 UTC) Multiple forensics agencies are contacted to see if they can help us track/block the funds.
(08:42 UTC) Telegram announcement — Charge40 (C40) Contract address is shared.
(08:50 UTC) The culprit has been found in the code of the vaults. There are no reentrance checks on depositFor.
This vulnerability allowed the attacker to insert his own (dummy) tokens into the contract. Hereby gaining a majority share of the contents and enabling him to drain all vested $Charge tokens.
(09:09 UTC) 4th announcement: Charge vault update. A PCS flash loan that was used to fund the attack is mentioned. Vaults are paused while being fixed and will be reviewed by Certik before they are reactivated. Looking at the different options for the compensation to come. We clarified that the boardroom and the farms were not affected and that the core contracts were not in danger.
(09:20 UTC) Certik has been contacted to check for options for expedited audits on the new contracts.
(09:27 UTC) Updates to all channels (Telegram, Discord and Twitter) are sent informing investors in more detail about the issue and the progress made. Detailed information about the vulnerability is kept under wraps.
(09:57 UTC) Contact was made with Grim informing them about the issue. We gave details of the exploit, explained we had just suffered an exploit, suggested they pause their vaults and pass details to their devs. Both depositFor and withdraw have no reentrance guards in the code at their site. This was not just for the 60/40 vaults but all Grim vaults.
Response was that Grim is closed source and there is no risk. Tried to convince but to no success. ChargeDeFi contact was kicked from the Grim Discord.
(10:15 UTC) Talks about possible reimbursement strategies start.
(10:19 UTC) 5th announcement warning the Charge community about private messages from fake Charge team members that have started contacting people in the channels.
(10:23 UTC) 6th announcement: Official statement that all lost Charge tokens can be restored, we have enough funds to cover it. Looking at options to do so without messing up the APRS.
(11:25 UTC) Asked Grim if they had taken action. Again we were told they don’t have any risks and that their code is closed source.
(11:34 UTC) Contacted Tomb.Finance to ask for help in contacting Grim.finance. A mod immediately responded and took the situation seriously. There was no known issue at Tomb.finance, only at Grim.finance. But Tomb’s assets would be affected by a draining of Grim’s vaults.
(11:42 UTC) Tomb.Finance confirmed they were in touch with Grim Developers and were helping Grim look at the code.
(11:45 UTC) 7th announcement: Draft proposal asking for feedback from the community about the best way to go on with restoring the charge and BUSD compensation.
(12:22 UTC) 8th announcement: Compensation proposal shared.
(12:35 UTC) 9th announcement: Poll created on discord about the compensation proposal, asking for investor feedback
(12:41 UTC) Tomb.Finance reaches out asking for more information.
(12:47 UTC) Screenshots and further details including the line number is shared with Tomb.Finance to relay to Grim.Finance.
(13:08 UTC) We gave Tomb.Finance contact further details on the exploit and provided the following transaction to help them debug.
(14:35 UTC) A small update was pushed to the website to inform users on the vault page about the issue.
(14:53 UTC) 10th announcement: Recap of the situation to help users get all info from one source.
(15:12 UTC) Update to Twitter pointing users to a large update on discord. (15:29 UTC) Certik responds with requests for information and informs us that they have seen tweets about the hack. ChargeDeFi informs Certik that the code is a fork from Grim/Tomb and that ChargeDeFi is not communicating about this to give them a chance to fix it in time.
(16:22 UTC) Mods from beefy.finance were contacted to warn them about possible exploits in Tomb and Grim. Beefy was also notified that our messages towards Grim had been ignored.
(17:48 UTC) Contacted Tomb.Finance asking if Grim.Finance had found the issue.
(19:50 UTC) First signs grim.finance is being exploited.
19th December 2021 UTC
(05:39 UTC) Tomb.Finance confirmed they did indeed contact Grim devs, supported them with ours and their developer information, the transaction details of the exploit but they did nothing.
20th December 2021 UTC
(08:06 UTC) Compensation balances shared with community
(16:15 UTC) Compensation Airdrop of 50 BUSD per lost charge token completed.
(21:00 UTC) Compensation pool that will return lost Charge completed
(21:30 UTC) Incident report released.
