Palmswap Security Report
On July 24, 2023, Palmswap’s PLP Liquidity Vault was exploited due to a flash loan price manipulation, resulting in a loss of approximately $901,000.
After gaining knowledge of the incident, Palmswap responded swiftly and managed to establish contact with the attacker, resulting in the recovery of 80% of the stolen funds.
In our commitment to transparency, and upholding our community’s best interests at hand, we’re releasing this detailed security report with the findings gathered from the events.
Events Summary
The root cause of the exploit was the price manipulation of the underlying PLP token, determined by the number of USDT in the PLP Vault contract and the USDP supply — an internal token used to keep track of the value of the deposits.
When adding or removing liquidity, the “PlpManager” contract calculates the price of the PLP token by calling the “getAum” function. However, purchasing USDP with the “buyUSDP” function also increases its price.
An increase in the value of “PoolAmount” while buying USDP affects “getAum()” function since it is dependent on “PoolAmount” for calculation.
This allowed the hacker to remove liquidity on a higher exchange rate than the one used when adding liquidity.
In other words, the attacker was able to manipulate the amount of USDT in the PLP Vault by calling the “buyUSDP” function in the contract, which would then invoke a call to the “_increaseUsdpAmount(mintAmount)” and “_increasePoolAmount(tokenAmount)” subroutines.
Specifically, when the “poolAmount” value is increased, the “aum” value calculated inside the “getAum” function is also increased, leading to the PLP price manipulation.
Attack Sequence
1. The attacker used a flash loan to acquire 3,000,000 USDT ($3,000,691.52).
2. Through the function “buyUSDP(),” the attacker swapped 1,000,000 USDT for 996,769 Palm USD (USDP) from the PLP Vault and received 996,324 PALM LP (PLP). The attacker then received 996,324 fee PLP (fPLP) after staking the PLP.
3. The attacker swapped the remaining 2,000,000 USDT for 1,993,538 USDP and triggered the “removeLiquidity()” function which swapped the fPLP from the previous step for 1,962,472 PLP. Then, they subsequently swapped for 1,956,585 USDT ($1,957,036.45). Due to an incorrect USDP calculation in the “PlpManager” contract, the PLP Vault mistakenly returned more USDT to the attacker.
Note: A cooldown mechanism was supposed to prevent the occurrence of such a scenario. However, the exploit was able to bypass this protection as the “cooldownDuration” was initialized to zero.
4. The attacker swapped 1,953,430 USDP for 1,947,570 USDT ($1,948,019.41).
5. Finally, they repaid the initial 3,000,000 USDT borrowed through the flash loan which left $901,445 for the attacker.
6. Palmswap established contact with the attacker, beginning negotiations for the return of the stolen funds.
7. Palmswap managed to recover 80% of the stolen funds.
Key Learnings & Way Forward
Although we were able to recover the majority of the stolen funds, this event uncovered vulnerabilities both in the Palmswap platform and the overall ecosystem.
The team discovered that the amount of USDP was not symmetrically changed and checked by the staking and swapping functions, which allowed the price manipulation. Furthermore, the cooldown period in the contract was not defined, which could have prevented the exploit by a flash loan attack.
After thorough analysis and having assessed the situation, we have made the difficult decision to delay the highly anticipated launch of our V2 platform until we can fully resolve these issues.
In the coming weeks, we will double our efforts to review, update, and retest the contracts. We will also conduct additional audits, aiming to further reduce risks and ensure the safety of our community to the best of our ability.
We understand that this may be disappointing for our community, but we’ve decided that this is the safest way to proceed with Palmswap’s roadmap while preserving our users’ security.
This has been an unfortunate incident, but we believe that the lessons learned, as well as the overwhelmingly positive response from our community, will allow us to come back from it and build a better and safer platform for our community.
If you have any questions, we cordially invite you to join Palmswap’s Telegram channel and ask the team. We have also prepared an AMA on Twitter Spaces next Saturday to address the community’s doubts.
Thank you for your continued support,
The Palmswap Team
