Bug Found Gelato’s Contract: Might have Lead to Significant Losses

Key Takeaways:

  • This morning Gelato was notified about a bug by samczsun.
  • Gelato immediately tweeted about it and started working on the same.
  • PeckShield Inc. noticed a bug in  GUniRouter02, more specifically, rebalanceAndAddLiquidity(), which can be exploited to transfer funds from unknowing users who have previously approved GUniRouter02 for spending. 
Bug Found Gelato'S Contract
Bug Found Gelato’s Contract

This morning Gelato was notified about a bug by samczsun. Gelato immediately tweeted about it and started working on the same. Before that PeckShield Inc. noticed a bug in  GUniRouter02, more specifically, rebalanceAndAddLiquidity(), which can be exploited to transfer funds from unknowing users who have previously approved GUniRouter02 for spending. The root cause according to PeckShield Inc. is rebalanceAndAddLiquidity() -> _swap().

Gelato tweeted that We were alerted about a critical vulnerability in a G-UNI Router contract on Sorbet Finance. This vulnerability ONLY affects users which interacted with the Sorbet UI. NO FUNDS WERE LOST. If you entered any positions on Sorbet, pls take this action NOW. DO NOT SEND ANY OTHER TRANSACTIONS BEFORE COMPLETING THIS STEP OR FUNDS WILL BE AT RISK:

Go to https://www.sorbet.finance/#/pools follow our simple step-by-step guide and revoke all approvals you gave to the vulnerable contract.

Gelato even tweeted that After being alerted about the bug by @samczsun, we’ve been working with @roamingRahi to conduct a successful whitehat recovery to move all potentially vulnerable funds into a secure escrow contract from which users will have access to recover them soon”. Everyone here at Gelato appreciates your understanding while we are working on enabling users whose funds we needed to secure to reclaim them on Sorbet within the next hoursLock. We’ll release an official statement in the coming days.

Moreover, Gelato has asked the community to verify that they have successfully revoked all the transactions from etherscan.

Default image
Chaahat Girdhar

I'm Chaahat Girdhar, a journalist by profession who's turning her dreams into vision and vision into reality. I'm curious and have an appetite for gaining new knowledge. So I'm looking forward to learning things in the better way possible.

Newsletter

Crypto News, NFTs and Market Updates

Can’t find what you’re looking for? Type below and hit enter!