Backtesting Web3 Exploits: Could the Team Finance and ASKACR hacks be prevented?

On the flip side of promising innovations in finance, the DeFi space is notorious for facilitating digital theft of enormous proportions. The De.Fi REKT database, which tracks the financial impact of scams and exploits, estimates nearly $77bn in cumulative losses to date. With a recovery rate of less than 9%, much of that financial impact is permanent.

Yet very few exploits are executed instantly. Many take minutes, hours, or even days to unfold, providing project teams with a brief time window to react. When time is of the essence, alerts from an automated threat monitoring system like Aegis could make all the difference in protecting mission-critical assets.

To see if Aegis could stand up to the task, our developers backtested its capabilities against some of the most high-profile exploits, worth an estimated $727m in total value stolen. We have subdivided results into “minutes”, “hours”, and “days” categories based on the reaction time window Aegis would have provided.

This article focuses on the exploits that fall within the “hours” category, including the exploit against Team Finance and the more recent but lesser-known attack against ASKACR.

Key Takeaways

Aegis provided an average reaction time window of 1.23 days based on 20 analyzed exploits. That is how much time projects teams would have had to take action.

Excluding the five attacks that took days to unfold, the average reaction time window is 20.26 minutes. Aegis thus provided a 20-minute forewarning about more sophisticated exploits.

The $14.5m attack against Team Finance was spotted by Aegis an impressive 1 hour and 7 minutes before being executed. The smaller $28,400 attack against ASKACR was spotted 1 hour and 54 minutes before exploit time.

Anatomy of Team Finance Hack

Team Finance was exploited on October 27, 2022. The $14.5m attack targeted the liquidity pools of four projects safeguarding their funds with Team Finance. CAW lost $11.5m, FEG — $1.7m, TSUKA — $1.7m, and KNDX — $0.7m. TSUKA overall experienced less of an impact because it had a secondary liquidity pool on Uniswap v3.

Attack tx: 0xb2e3ea72d353da43a2ac9a8f1670fd16463ab370e563b9b5b26119b2601277ce

Attacker’s contract: 0x161cebb807ac181d5303a4ccec2fc580cc5899fd

The protocol was exploited due to a flaw in the migrate() function. It was manipulated to shift authentic UniswapV2 liquidity to an attacker-controlled V3 pair with a distorted price. The substantial residual was then refunded for profit. Additionally, the attacker sidestepped the function’s validation of the authorized sender by simply locking the tokens. Eventually, Team Finance managed to return $7m of tokens to the four affected projects in a few days.

Exploiter address 1: 0x161cebb807ac181d5303a4ccec2fc580cc5899fd

Exploiter address 2 (with stolen funds): 0xba399a2580785a2ded740f5e30ec89fb3e617e6e

Our developer Ignacio Freire notes that a smart contract audit was never sufficient to prevent this type of exploit:

“It would have been nearly impossible to spot this kind of bug during a contract-specific audit. Without the full workflow, it would have been extremely difficult to see how anyone could have sidestepped the migrate() function validations, which check if the caller is a “lockedERC20” address — an easily obtainable status within the protocol. However, had the team monitored the smart contract with Aegis, they would have received an early alert as soon as the attacker made the call.”

Backtesting the incident using Aegis, our developers found that Team Finance would have received a high severity alert at 7:22:35AM — a full 1 hour and 7 minutes before the exploit time. Had the Team Finance relied on Lossless for automated threat monitoring, they would have had sufficient time to react.

Anatomy of ASKACR Exploit

The more recent exploit against the ASKACR token on the BNB Chain occurred on March 21, 2023. The attack, worth approximately $28,400, was made possible by a faulty reward distribution mechanism, which processed LP holder rewards for the $BSCUSD-$ASKACR pair without checking the transfer amount first.

Attack tx: 0xc20fa4953ff394bb806a57cafe71d1163973c0e5a47bb8dad1703a518b15ea3b

The attacker was thus able to transfer 0 in $ASKACR tokens to LP holders, amassing extra rewards in the process. By generating a multitude of new contracts and continuously repeating this procedure, the attacker was able to profit from this exploit. Once the attack had been discovered, the price of $ASKACR plummeted, falling more than 99%.

Retrospectively analyzing the incident, our developers noted that Aegis would have issued a high severity alert at 11:45:07 AM — 1 hour and 54 minutes before exploit time. Had the project team relied on Lossless for on-chain threat monitoring, the project would still potentially be alive to this day.

Lossless Aegis

These hacks were backtested using Aegis, an automated security monitoring system that warns project teams of threats before they evolve into harmful exploits. Basic monitoring services with real-time alerts are accessible without integration. Users can simply register on the platform and add their smart contract addresses to the watchlist.

Aegis is the optimal choice for monitoring mission-critical smart contracts with high levels of activity and substantial transaction volumes. Aegis screens all mined block transactions using predictive analytics, raising flags on dubious transactions and their related addresses based on severity. Code integration unlocks more advanced firewall-like capabilities that autonomously block exploits and prevent known malicious actors from interacting with your smart contracts.

More information about Aegis can be found at aegis.lossless.io