The Analysis of Counter Exploit against Wormhole Exploiter and the Thinking of Defi Decentralization

Overview

On February 25,2023, Blockworks reported that Jump Crypto had seemingly recovered 120.69k wstETH and 3.21k rETH ($225M of assets) from the infamous Wormhole Exploit that occurred one year ago. This counter exploit used Osis upgradeable contracts to transfer stolen funds to a new wallet. Let’s do a brief analysis of this incident and think about the importance of decentralization for defi projects.

Brief Analysis

counter exploitor: 0x04e1e2df5bb9dbe04a4a275a4c6292006c3bd8bc

Oasis Multisig: 0x85f9b7408afE6CEb5E46223451f5d4b832B522dc

First added the counter exploiter to the owner of Oasis Multisig (Txn):

Then were the main recovery processes (Txn):

Changed the delay to 0 to allow immediate upgrade of the contract, And then deployed two new contracts, Authorizer And Executor, and called updateNamedService function to update:

Updated AutomationExecutor address to Oasis Multisig, the counter exploitor complete controlled of vault 30100:

Closed vault 30100, created a new vault controlled by Oasis Multisig, migrated the collateral and debt from old to new:

Lastly, restored contract addresses and delay:

Then counter exploitor received DAI , closed out the loans and the collateral was withdrawn from the wstETH and rETH vaults and sent to a new wallet:

The new wallet 0x5fEC2f34D80ED82370F733043B6A536d7e9D7f8d:

The Thinking about decentralization

The reason for the success of this counter exploit is obvious, that is, the upgrade authority of the project contract is still in the hands of the project party.

Although the purpose of this counter exploit is to recover the funds stolen by the hacker, it seems to be a just act, but it also triggered the community to think about whether the funds in the defi project are really safe, resulting in a crisis of trust.

We do not agree with Oasis’s approach this time, it makes us have great doubts about the decentralized nature of projects on the blockchain.

In order to facilitate version updates, many defi projects adopt upgradeable contracts and control the upgrade rights of the contracts in their own hands, but this is also where users have concerns.

How to ensure that the project party will not steal users’ funds by upgrading the contract? What should I do if the private key of the upgraded account is leaked?

We recommend that contracts that interact with funds in the project should not use upgradeable contracts. In other words, when using upgradeable contracts, it is necessary to grant the upgrade permission account to address 0 after the version is stable, so as to achieve decentralization, prevent the project party or hackers from upgrading the contract to steal funds. True decentralization is the future development trend.

Summary

In this article, we briefly analyze the attack and express our views on the decentralization of the project.