KP3R Vulnerability Report
KP3R Vulnerability Report: How Statemind Found A Two-Year-Old Exploit In Keep3r Network
Statemind recently made media headlines related to preventing what would be the third-largest hack in DeFi history. Today, we are back to report the findings of another discovery of a critical vulnerability across the Keep3r Network and related protocols.
Vulnerability was found in Fixed Forex protocol designed to provide an alternative to USD denominated stable coins. However as Keep3r and fixed forex use the same governance token vulnerability extends to both protocols.
In this particular review, Statemind reported the findings to Keep3r Network, a decentralized smart contract for technical development jobs created by Yearn.Finance founder Andre Cronje.
As mentioned in our last blog post, Statemind conducts these exercises in an effort to make the crypto ecosystem a safer place and gain invaluable data.
In this blog post, we will explain how Statemind’s expert team of auditors found the exploit in the GaugeProxyV2 contract and how ultimately, no funds were lost due to the two-year-old vulnerability.
What Our Research Turned Up: A Two-Year-Old Vulnerability In Andre Cronje’s Latest Project
While reviewing the GaugeProxyV2 contract on Keep3r Network, one of Andre Cronje’s newest projects, we found a critical vulnerability that allowed the unintended boosting of voting weights.
GaugeProxyV2 and its analogs are a distinct type of contract that distributes reward tokens. The _vote()
function allowed for passing the same tokens in the _tokenVote
array. An attacker could, in theory, increase the voting weight with a call.
Then the potential attacker can call vote()
one more time with the same arguments. Under normal conditions, the contract should subtract the previous vote from the weight. In this case, it doesn’t.
The attacker could perform the last step on a loop and significantly boost the weight of a particular token with a relatively small balance of tokens. Interestingly, the vulnerability has been active since KP3R was first deployed nearly two years ago, in October 2020.
How The Report Was Made: Statemind Search Query Discovers Additional Affected Projects
Immediately following the report submitted to the client, the Statemind team quickly realized that other projects that utilized the same approach for rewards distribution were at risk of exposure to the exploit.
The next step involved scouring for similar code using a smart contract sanctuary – a database of verified contracts. Scanning the results confirmed our suspicions: several deployed contracts contained the same vulnerability and were at risk.
Our team filtered out contracts with a non-zero balance and identified related projects to get accurate information on the impacted contracts. Once confirmed, we immediately reported our findings to all affected parties.
In total, six different blockchain projects and five different chains were affected by the vulnerability. Projects include Keep3r Network, Pickle Finance, Spirit Swap, Venera Swap, Snowball Finance, and Milky Swap.
What We Do: Statemind Helps Keep Keep3r Network And The Crypto Industry Safer
No funds have been lost due to the exploit, and thanks to Statemind’s experts, the development community is now aware of the existence of the two-year-old exploit. Keep3r Network is expected to redeploy as needed.
Keep3r Network is one of the most recent projects from legendary DeFi developer Andre Cronje. Andre Cronje is also the founder of Yearn.Finance.
LIDO, 1INCH, and Yearn.Finance are some of Statemind’s current clients. Statemind is a leading blockchain security auditing firm with over 100,000 LoC of Solidity and Vyper experience combined, we have secured over $10B in TVL, and this number continues to grow with each discovery of a significant vulnerability.
A recent discovery of a vulnerability related to the Avalanche blockchain added $350M to that number alone and helped make our public debut even more successful. We look forward to making even more of a positive impact on the crypto industry.