A Faulty Oracle Causes a Flash Loan Attack on Themis Protocol

By Arhat | Truly Crypto | 28 Jun 2023


 

The attack was made possible due to a flawed oracle exploited to inflate the price of a Balancer LP token on Themis.

a419fd74479a4c73dc83605053d4765f86d885ef55dc9baf4758a556bbb6c9aa.png

Here's how it happened (refer to the image below):

3730656637aa24ee0ee4e1959c3728b7bba5fec7f14f70dd90a4e78b09055ea8.png

1. The hacker initiates a flash loan from Aave v3 and two Uniswap v3 pools to borrow 40,000 WETH without collateral.

2. The hacker uses 220 WETH as collateral to borrow DAI, $USDC, USDT, $ARB, and $WBTC from Themis Protocol.

3. The hacker then creates a new contract and performs various operations within it:

  • Supplies 55 WETH to a balancer pool, fetching 54.665 LP tokens.
  • Deposits these BLP tokens into Themis Protocol and manipulates the protocol into believing BLP tokens worth more than their actual value. This is because Themis Protocol relied on a flawed oracle, which provided an inflated price of BLP tokens on the Uniswap price of ETH/USDT.
  • Executes a swap of 39,725 WETH for 2,423 wstETH, affecting the price of BLP tokens in the balancer pool and further inflating their worth. This swap affected the price of the BLP tokens in the balancer pool, making them appear even more valuable in the eyes of the flawed oracle.
  • Takes advantage of this manipulated pricing to borrow 317.62 WETH from Themis Protocol.

4. The hacker then counter-swaps 2,423 wstETH for 39,724.94 WETH, reversing the earlier swapping effect and bringing back the original price value of BLP tokens in the balancer pool.

5. Finally, the flash loan from Aave v3 and Uniswap v3 is repaid with 40,000 WETH, and the hacker walks away with his profit made from the leftover WETH and other tokens.

 

Here you check all the transactions the hacker did post the hack: https://debank.com/profile/0xdb73eb484e7dea3785520d750eabef50a9b9ab33/history…  

 

tx link: https://arbiscan.io/tx/0xff368294ccb3cd6e7e263526b5c820b22dea2b2fd8617119ba5c3ab8417403d8…  

 

The majority of exploited tokens have been sent to Tornado Cash.                  

 


Thank you for reading through, and follow me here and on Twitter for more regular post updates.

I’d also appreciate it if you shared this with your friends, who would enjoy reading this.

You can find my other research & investment thesis here: https://bit.ly/3CjMvoA

If you find this analysis useful, please consider donating to 0x34ddd9223D9DDb6B56F640824Af6FCC31e1deBF4.

Thank you.

How do you rate this article?

1


Arhat
Arhat Verified Member

Investor at L2 Iterative Ventures. Prev: Founder 3z3 Labs. I write about web3 use cases, hacks, and deep dives.


Truly Crypto
Truly Crypto

On Hacks, Use Cases & Deep dives.

Send a $0.01 microtip in crypto to the author, and earn yourself as you read!

20% to author / 80% to me.
We pay the tips from our rewards pool.