- 1,100 ETH have been transferred to Tornado Cash and nearly $1.4 million has been abused from the cross-chain aggregator Rubic.
- On its official website, Rubic claims to have undergone audits from Certik and Fairyproof.
Rubic Protocol said on December 25 that one of its routing contracts had been breached and that all contracts will be suspended while the issue is investigated. A cross-chain DEX aggregator is Rubic. Through the routerCallNative function of the RubicProxy contract, users can trade native tokens. It will first determine whether the target Router of the necessary call entered by the user is on the protocol’s white list before redeeming.
The multi-chain exchange protocol was compromised, according to PeckShield’s monitoring, causing a loss of more than 1.4 million US dollars. 1,100 ETH were transmitted to the Tornado Cash mixing protocol by the attacker.
The designers of the protocol also recommended that users utilise the revoke.cash tool to revoke contract authorisation.
The money was transferred to the exploiter address via transactions involving the stablecoin USD Coin (USDC) on the Uniswap decentralised exchange (DEX). According to PeckShied, the exploit was made possible when USDC was unintentionally added to supported routers. A malicious contract use was additionally made possible by “a lack of validation in ruterCallNative.”
The ruterCallNative function has a number of potential flaws, including invalidated input for the “_params” and “_data” arguments, according to a brief smart contract analysis using chatGPT. These might let an attacker send malicious information that might cause improper or undesired behaviour.
The main reason for the attack, according to the SlowMist security team, was that the protocol improperly put USDC tokens to the Router whitelist, which led to the theft of USDC tokens from users who were authorised to utilise the RubicProxy contract.
Only after the whitelist check, the user-supplied target Router will be called, together with user-supplied calling data. Unfortunately, USDC coins have also been added to the Router whitelist of the Rubic protocol, which enables any user to call USDC tokens arbitrarily using the RubicProxy contract.
As a result, malicious users take advantage of this flaw by using the routerCallNative function to call the USDC contract and the transferFrom interface to get USDC tokens from users who are authorised to utilise the RubicProxy contract on their behalf.
The fact that hacks are appearing daily is not good news as the crypto world tries to recover from the harm that the now bankrupt exchange FTX inflicted. Users were naturally disappointed in the cross-chain aggregator as the update of its exploit came through.