Key Ideas
- The total amount lost was more than $1.4 million.
- To send 1,100 ETH, the attacker employed the Tornado Cash mixing mechanism.
A cross-chain DEX aggregator is Rubic. Through the router CallNative function of the RubicProxy contract, users can trade native tokens. It will first determine whether the target Router of the necessary call entered by the user is on the protocol's white list before redeeming.
The multi-chain exchange protocol was compromised, according to PeckShield's monitoring, causing a loss of more than 1.4 million US dollars. 1,100 ETH were transmitted to the Tornado Cash mixing protocol by the attacker.
The main reason for the attack, according to the SlowMist security team, was that the protocol improperly put USDC tokens to the Router whitelist, which led to the theft of USDC tokens from users who were authorized to utilize the RubicProxy contract.
Only after the whitelist check, the user-supplied target Router will be called, together with user-supplied calling data. Unfortunately, USDC coins have also been added to the Router whitelist of the Rubic protocol, which enables any user to call USDC tokens arbitrarily using the RubicProxy contract.
As a result, malicious users take advantage of this flaw by using the router CallNative function to call the USDC contract and the transferFrom interface to get USDC tokens from users who are authorized to utilize the RubicProxy contract on their behalf.
