The exploiter used a “panic” function buried within eight different smart contracts to remove $1 million worth of users’ funds without their permission.
On June 26, decentralized finance (DeFi) aggregator Chibi Finance was exploited by its own deployer account, and $1 million worth of cryptocurrency was drained from its contracts in an apparent rug pull or exit scam. The protocol’s official user interface disappeared, producing a 404 error, and all social media for the app was taken down. After the funds were drained, they were swapped for Wrapped Ether (WETH) and bridged to Ethereum, where they were afterward sent to Tornado Cash by the attacker.
The price of the Chibi Finance (CHIBI) governance token fell by over 90% as the news broke.
But “rug pulls” shouldn’t be possible in DeFi. After all, these apps, by definition, don’t run on centralized infrastructure. So the app’s creator shouldn’t be able to run off with everyone’s crypto or cash.
For this reason, it might be useful to analyze how the alleged scam was pulled off.
CertiK has produced a detailed report after investigating the incident. When combined with blockchain data, this report can shed light on how the attack occurred and what users can do to protect themselves against similar attacks or scams in the future.
The Chibi Finance app
Before its user interface went offline, Chibi described itself as “the most popular yield aggregator on Arbitrum.” It claimed to allow users to gain yield from across the Arbitrum ecosystem.
According to CertiK, the DeFi aggregator has been growing in total value locked (TVL) — a measurement of the value of crypto held in an app’s contracts — since it launched in April. On June 21, Chibi announced it had achieved $500,000 in TVL. At the time, the team stated a goal to reach $1 million.
On June 26, the app was listed on CoinGecko for the first time, giving it greater exposure. It seems to have reached its $1 million goal shortly after this event, right before the tokens were drained from its contracts. As a result, investors lost over $1 million worth of crypto in the attack or scam.
Chibi Finance contracts
The attack exploited a loophole in eight different contracts used in the Chibi Finance protocol. These contracts were forked from other projects and were not unique to Chibi. For example, one of them was StrategyAave.sol at Arbitrum address 0x45E8a9BA6Fcd612a30ae186F3Cc93d78Be3E7d8d, which has also been deployed to several other addresses on Abitrum, Ethereum, the BNB Smart Chain and other networks.
Another example is the StrategySushiSwap.sol contract at 0x9458Ea03af408cED1d919C8866a97FB35D06Aae0. This also has several versions on Arbitrum and other networks.
These contracts appear to be commonly used in DeFi aggregator applications, not just Chibi Finance.
Related: DeFi aggregation: Paving the way for mass adoption
Panic function
Blockchain data reveals that some of the contracts used by Chibi Finance contain a “panic” function that can be used to withdraw all tokens from a pool and send them to a particular address. This function was essential to the attacker’s method. Here is an explanation of how it works, with StrategySushiSwap.sol being used as an example:
Lines 340–343 of StrategySushiSwap.sol state that if the panic() function is called, it will call a second function named “emergencyWithdraw” on the ISushiStake contract.
The ISushiStake contract, in turn, is just an interface. It contains no executable code. Instead, it points to the SushiSwap: MiniChefV2 contract at 0xF4d73326C13a4Fc5FD7A064217e12780e9Bd62c3.
The MiniChefV2 address is listed as an official contract for the decentralized exchange, SushiSwap. So the “panic” function calls an “emergencyWithdraw” function within SushiSwap.
At the SushiSwap address, the emergencyWithdraw function can be seen on lines 626–643.
This function allows the owner of funds to withdraw without taking rewards. This may be useful in an emergency. For example, a user may want to call this function if a bug in the reward contract causes them not to be able to receive rewards.
The emergencyWithdraw function has a failsafe to prevent use by unauthorized persons. It states on line 360, “UserInfo storage user = userInfo[pid][msg.sender],” meaning that the “user” is defined as the sender of the message. Under normal circumstances, this should allow a user to emergency-withdraw their own funds, but not funds belonging to anyone else.
There does not appear to be anything malicious about this function in SushiSwap. However, a problem can arise if the user does not call this function directly from their own wallet.
For example, when a user deposited funds using Chibi Finance, their crypto was sent to SushiSwap by the StrategySushiSwap contract, not by the end-user directly. This meant that the Chibi Finance app was recognized as the “user” when attempting to emergency-withdraw funds. This, in turn, allowed Chibi to withdraw the users’ funds on users’ behalf.
Related: How to spot a rug pull in DeFi: 6 tips from Cointelegraph
However, the funds should have still been safe as long as the panic function could only be called by the end-user.
Unfortunately, the panic function does not have this requirement. Instead, it is simply listed within the Chibi Finance contract as an “onlyGov” function, meaning that an admin can call it, but no one else. The attacker relied on this loophole to carry out their attack.
How the Chibi Finance attack was carried out
According to the CertiK report, Ethereum username Shadowout.eth withdrew 10 Ether (ETH) from Tornado Cash on June 15. These funds were bridged to Arbitrum, and 0.2 ETH was sent from this user to address 0x80c1ca8f002744a3b22ac5ba6ffc4dc0deda58e3. This second account then created a malicious contract on June 23 at address 0xb61222189b240be3da072898eda7db58b00fd6ee.
The attacker called the “add pool” function on this malicious contract eight times on June 23. Since the contract is unverified, the code for this “add pool” function is unknown. However, CertiK speculated that each of these transactions may have added a Chibi Finance contract to a list within the malicious contract’s data for a total of eight contracts in the list.
On June 27, the deployer account for Chibi Finance transferred admin rights for the eight Chibi Finance contracts to the malicious contract. It did this through eight separate transactions, each one calling the “setGov” function on a particular contract.
After the malicious contract gained these governance rights, its creator called its “execution” function. This caused it to call “panic” on each of the eight contracts, which in turn called “emergencyWithdraw” on related pools in DeFi apps such as SushiSwap, Aave and Global Hectare.
The result was that all of the funds deposited by users to these pools through Chibi Finance were drained by the attacker, resulting in losses of over $1 million to investors.
How can Chibi-style rug pulls be avoided?
Given that the attack relied on a “panic” function that allowed an admin to drain all of the users’ funds, one way to avoid a Chibi-style rug pull would be not to use apps that have this function.
On the other hand, if an aggregator doesn’t have a “panic” function, there is a risk that the user’s funds could get stuck if a bug or exploit is discovered within the aggregator app. Users may want to consider these tradeoffs if they decide to use aggregator apps instead of directly interacting with the underlying pools.
Related: Over $204M was lost in Q2 DeFi hacks and scams: Report
DeFi users may also want to consider that smart contract code can be extremely complex, and it may not be possible for most users to determine on their own whether an app has a security flaw. As CertiK claimed in its report:
“The Chibi Finance incident demonstrates the risks that are associated with centralization in the Web3 space.[…]It is an unrealistic expectation for regular investors to spot and understand the centralization risks within projects like Chibi Finance by simply doing their own research.”
For this reason, users may want to check an app’s published audits before using it, CertiK stated.
Chibi Finance claimed to be audited by blockchain security firm SolidProof. The contents of the alleged audit are no longer available, as the project’s GitHub has been taken down and was never saved by internet archives. Cointelegraph could not determine whether the risks posed by the “panic” function were disclosed in the audit report or even whether an audit took place.
Cointelegraph has reached out to SolidProof for comment but did not receive a reply by publication.
Rug pulls or exit scams have become a common problem in the DeFi space. On June 1, blockchain security firm Beosin reported that over $45 million was lost from rug pulls in May, outpacing regular DeFi exploits. In April, the Ordinals Finance protocol was also allegedly rugged for $1 million through a “safuToken” transfer function.
