Frax Finance Critical Vulnerability Alert

Key Takeaways:

  • Twitter User Daniel Von Fange has identified a vulnerability in Frax Finance, which he has explained in his Twitter Thread.

Frax Finance is the first fractional-algorithmic stablecoin protocol. It is open-source, permissionless, and entirely on-chain,i.e., currently implemented on Ethereum and other chains. The end goal is to provide a highly scalable, decentralized, algorithmic money in place of fixed-supply digital assets like BTC.

Yesterday Daniel Von Fange found that the Frax Convex AMO contract allowed massive slippage when the protocol moved funds in and out, i.e., up to 24% in some cases. This contract is currently holding 1.2 billion dollars of stablecoin collateral. For Example, a 200 million dollar withdrawal could be a loss of 48 million.

Frax Finance Critical Vulnerability Alert

If we go in to core details, then three_pool_to_collateral uses liq_slippage_3crv which was 80%. metapoolWithdraw3pool() checks slippage_metapool at 95%. However, when these two slippage numbers stack together, the second check is calculated with the funds from the first exchange ,i.e., 95% * 80% = 76%.

Frax Finance Critical Vulnerability Alert

One particular danger with MEV attacks like this is that the attacker would not need to have written any code to interact with the protocol or even know its existence. MEV bots pick up and automatically attack transactions like these from only watching curve. Frax had a great response time yesterday and quickly adjusted the minimum required return amounts.

Here is another vulnerability that our readers should know about, i.e., Auctus Protocol Critical Vulnerability Alert. In this case, Auctus Team has informed its users via a tweet that there is a security vulnerability in one of their old beta contracts, i.e. 0xE7597F774fD0a15A617894dc39d45A28B97AFa4f. The team has advised its users that whoever has approved this contract should revoke it.

Default image
Yash Kamal Chaturvedi

Btech Computer Science, Maharshi Dayanand University, Rohtak (2023)