Backtesting Web3 Exploits: Could Aegis Prevent Attacks Against Revest Finance and Audius?

Illicit transactions in crypto are on the rise. The latest 2023 Crypto Crime report estimates that addresses associated with illicit activity received tokens worth a staggering $20.6bn last year, an all-time high.

To combat the rise in crypto crime, Lossless developers have backtested the Aegis threat monitoring system against some of the most sophisticated Web3 exploits, worth an estimated $727m in total value stolen. They have found that Aegis provided an average reaction time window of 1.23 days for 20 analyzed exploits. Even excluding the five longest attacks, Aegis issued an alert 20.26 minutes before some of the most sophisticated exploits were executed.

This is the second part of the Backtesting article series, exploring whether Aegis could have made a difference in preventing past Web3 exploits. Historically, very few attacks were executed instantly — project teams still had minutes, hours, or even days to minimize the financial impact. This time, we focus on attacks against Revest Finance and Audius that fall within the “minutes” category based on the reaction time window Aegis would have provided.

Key Takeaways

The $2m exploit against Revest Finance would have been spotted by Aegis almost 32 minutes before being executed. Even though the attack involved a novel vulnerability, Aegis spotted a familiar attack preparation pattern half an hour prior to the incident.

The $6m attack against Audius was identified by Aegis more than 20 minutes before exploit time. Had the Audius team subscribed to our automated threat monitoring service, they would have had ample time to mitigate the worst of the financial impact.

Anatomy of Revest Finance Hack

Revest Finance was exploited on March 27, 2022. Although the financial impact of the attack was somewhat mitigated thanks to the swift reaction from the Revest Finance team, tokens worth an estimated $2m were still stolen in a re-entrancy attack. The release of the stolen tokens by the attacker sent their price on a downward spiral.

Attack tx: 0xe0b0c2672b760bef4e2851e91c69c8c0ad135c6987bbf1f43f5846d89e691428

Attack contract: 0xb480ac726528d1c195cd3bb32f19c92e8d928519

The attack was made possible by a flaw in the handleMultipleDeposits function — the tokenVault contract did not check if a new NFT was actually created before recording the new NFT information. Taking advantage of this, the attacker could change the details of the freshly minted NFT for ERC20 assets without having to deposit any ERC20 tokens. Other crucial functions in the Revest contract lacked defenses against reentry, allowing for callback exploitation.

In simpler terms, imagine a vending machine that gives you a unique numbered bottle each time you buy a drink. The Revest Finance vending machine included a flaw where if you are quick, you can add more drink to the old bottle even when you are getting a new one. This is what the attacker exploited.

Revest Finance team was quick to respond to a follow-up attack — the halting of the RVST token transfers avoided an additional $1.15M in losses. However, had Revest Finance used Lossless for automated threat monitoring, they would have had enough time to respond to the initial attack too. Backtesting the incident with Aegis, Lossless developers found that Revest Finance would have received a high severity alert at 1:10:05 AM — 31 minutes and 46 seconds before the exploit was executed.

Anatomy of Audius Exploit

The Audius Platform lost $6m-worth of native tokens on July 23, 2022. The attack was made possible thanks to a vulnerability within the Audius governance, staking, and delegation contracts. A mismatch in the storage structure across contracts allowed the attacker to reset the governance contracts and reassign a significant amount of governance tokens to himself.

With the inflated voting power, the attacker was then able to single-handedly vote through a malicious proposal #85 that transferred over 18M $AUDIO tokens directly from the treasury to his own wallet.

Attack tx: 0x4227bca8ed4b8915c7eec0e14ad3748a88c4371d4176e716e8007249b9980dc9

Instead of gradually selling the ill-gotten 18.5m $AUDIO tokens, which might have fetched close to $6m in $WETH, the attacker hurriedly traded them on Uniswap at a steep 80% discount, making out with only $1m in $WETH. Soon after, they began laundering the proceeds via Tornado.Cash.

Retrospectively analyzing the incident, our developers noted that Aegis would have issued a high severity alert at 10:51:30 PM — 20 minutes and 6 seconds before exploit time. The exploit was given away by the use of a well-known preparation pattern that identifies an upcoming exploit even before it happens.

Lossless Aegis

Revest Finance and Audius exploits were backtested using Aegis, an automated security monitoring system that warns project teams of threats before they evolve into harmful exploits. Basic monitoring services with real-time alerts are accessible without integration. Users can simply register on the platform and add their smart contract addresses to the watchlist.

Aegis is the optimal choice for monitoring mission-critical smart contracts with high levels of activity and substantial transaction volumes. Aegis screens all mined block transactions using predictive analytics, raising flags on dubious transactions and their related addresses based on severity. Code integration unlocks more advanced firewall-like capabilities that autonomously block exploits and prevent known malicious actors from interacting with your smart contracts.

More information about Aegis can be found at aegis.lossless.io