Solend’s Isolated Pools Exploitation—Nov 2, 2022—Detailed Analysis

Executive Summary

On November 2, 2022, an attacker targeted Solend’s isolated pools, exploiting a vulnerability in the USDH stablecoin’s price feed on the Saber platform. The attacker successfully manipulated the price and drained significant assets, incurring a loss of $1.26M.

Incident Background

USDH Stablecoin: Managed by Hubble Protocol, is a collateralized debt position.

Affected Pools:

• Kamino USDH Pool: $1.5M TVL
• Stable Pool: $1.67M TVL
• Coin98 Pool: $1.58M TVL

Nature of Exploit: Solend’s USDH price feed was manipulated as it only sourced prices from Saber’s USDH, making it vulnerable.

Attacker Add: https://solscan.io/account/7W7NJguyxgiR2fefqQXmfEVsx2NAfRuGWc4F9kpRdWiq

Detailed Timeline of Events

Pre-Exploit Phase

October 28, 2022: 2:30 am UTC
An attempt to inflate the USDH price on Saber using 200k USDC was made but failed due to rapid arbitration.

Successful Txn: https://solscan.io/tx/3EBSM7nD5YFf28swj7Tm5bCERymzN8twfoirkEZX2sN2FCuDMzyQ2zYLDX3DiZ6ScUak3XCFwHaAEUvqDHZZQ7MM

Failed Txn:
https://solscan.io/tx/5HLQwnpm2jLP4FJwin7Ae59ayXgJ9U41H5JushgkY1kQEe5q9Hnk5ksNPt6f7YpayhWp4xTqya2WKjYaUghbnhTV
https://solscan.io/tx/3EBSM7nD5YFf28swj7Tm5bCERymzN8twfoirkEZX2sN2FCuDMzyQ2zYLDX3DiZ6ScUak3XCFwHaAEUvqDHZZQ7MM

October 29, 2022
Solend’s team detected the vulnerability of the USDH price feed. Collaborations began with Hubble for an enhanced feed.

Exploit Phase

November 2, 2022 – Timeline of the Exploit

12:15 AM UTC: The attacker utilized 100k USDC to inflate the USDH price, as indicated on Solscan.

Two notable strategies distinguished this effort from prior attempts:

• Strategy 1: Post-price manipulation, the attacker inundated Saber with numerous transactions, effectively write-locking the Saber account. This action thwarted any arbitrage actions within that same slot.
• Strategy 2: In the succeeding slot, the attacker performed a self-arbitration, which is evident from Solscan records.

These modifications meant that the attacker’s net loss was confined to 600 USDC during this maneuver.

During this window, the Switchboard oracle acknowledged and registered the escalated price (as seen through Oracle1, Oracle2, Oracle3, and Oracle4).

Notably, the attacker refrained from leveraging assets against the elevated USDH collateral for reasons yet undetermined.

2:16 AM UTC

The attacker reprised their approach, pushing the USDH price to an approximate value of $15, a record corroborated by Solscan.

Mirroring the 12:15 AM strategy, the attacker self-arbitrated in the subsequent slot, an activity evident on Solscan.

Capitalizing on the artificially bloated USDH value, the attacker made deposits in USDH and extracted assets, effectively depleting the isolated pools by around $400k.

2:53 AM UTC

Persisting with their established modus operandi (similar to the 2:16 AM UTC effort), the attacker manipulated the USDH price. This led to the isolated pools being further compromised, with a significant asset drain approximating $800k (as supported by one of several borrow transaction records).

3:37 AM UTC
The gravity of the financial discrepancy came to the attention of the Solend team, who identified it as bad debt stemming from the exploit.

3:53 AM UTC
In a damage control measure, borrowing operations were suspended in the impacted pools.

4:03 AM UTC
As a precautionary countermeasure, open Loan-to-Value ratios (LTVs) for USDH within the affected pools were recalibrated to zero.

Identified Faulty Assumptions & Misconfigurations

• Stablecoin Price Imbalances: The belief that they would be instantly arbitraged was proven false.
• Oracle’s Response to Pumped Prices: The initial thought was that it would be nearly impossible for the oracle to register the inflated USDH price.
• Economic Factors: The cost and predictability of the exploit were underestimated, especially given the consistency with which the attacker manipulated prices and anticipated Oracle updates.
• Misconfigured Oracle: The sole reliance on Saber’s pool and the absence of a price cap for stablecoins rendered the feed vulnerable.

Mitigation Measures Implemented

• Improved Liquidity/Volume Monitoring: Emphasis on monitoring which LPs have dominant price discovery. Transitioning to superior sources and incorporating source weights are essential.
• Introducing Price Bounds: Implement the “MinTask” to put an upper limit on stablecoin prices to prevent aggressive upward de-pegging.
• Monitoring Value-at-Risk (VaR): Ensuring the cost of potential exploits remains higher than the value at risk.
• Enhanced Oracle Configurations: Incorporate features like “MinTask,” job weights, and median price assessments to minimize manipulation risks.

Conclusion and Forward Strategy

After the incident on November 2, 2022, Solend, in collaboration with Switchboard, has been proactive in innovating and implementing new feed mechanisms for an array of Solana-based stablecoins.

The primary objective behind these enhancements is to amplify the resilience and adaptability of the Oracle infrastructure, fostering a fortified environment for all stakeholders involved.

It’s pertinent to note a significant post-incident update. On August 16, Solend officially announced that all misappropriated funds during the November 2022 USDH price manipulation exploit have been duly restored.

Out of the original $1.26M siphoned off, approximately ~$900K was recovered, accounting for subsequent price fluctuations.

In a testament to Solend’s commitment to its users, no individual bore any financial losses. The incurred bad debt resulting from the exploit was promptly addressed and settled, safeguarding users’ interests.