Oct 24, 2022 Frank Stewskid
A market manipulation reported by Peckshield causes a chain reaction in other protocols
Peckshield disclosed a market manipulation exploit on the miMATIC market on the lending platform market.xyz, last night. Market.xyz has still not commented on the matter, and the community discord is silent, even though a user asked for a response from a community manager.
At first, when Peckshield tweeted about the exploit, the company shared the transaction hash and told QiDAO that it “may want to take a look”.
Hi, @QiDaoProtocol, you may want to take a look: https://t.co/Ih5MXpF7W3
— PeckShield Inc. (@peckshield) October 23, 2022
QiDAO responded by stating the market.xyz hack was not related to QiDAO smart contracts. It also reiterated that its risk committee monitors collaterals and there is a so-called “Risk Matrix” which tracks onchain data while issuing risk reports. Furthermore, QiDAO uses Chainlink’s oracles to price its collateral assets, thus safeguarding the value backing the MAI stablecoin.
We want to reiterate that the recent exploit on the @market_xyz lending market on @0xPolygon is completely unrelated to QiDao smart contracts.
— Qi Dao (@QiDaoProtocol) October 24, 2022
A highlight of how QiDao & $MAI avoid issues with collateral assets👇
- Risk Management
- New asset onboarding process
- Oracles
As the exploit on market.xyz also affected QuickSwap’s pools, which are utilized by it, QuickSwap stated it is aware of the issue and preparing a blog post, according to a message from an admin on the platform’s discord server. At the time of writing this article, the blog post is still not shared.
According to Peckshield, the miMATIC market uses “CurvePoolOracle” for its price feed, and through the oracle, the exploiter managed to borrow funds from the market. Apparently, this particular bug had been recently disclosed by Chainsecurity.
It is a price manipulation issue. The miMATIC market
— PeckShield Inc. (@peckshield) October 24, 2022
uses CurvePoolOracle for price feed, which is manipulated to borrow funds from the market https://t.co/kDv10Zp2nz @market_xyz @QuickswapDEX @QiDaoProtocol https://t.co/muXdhubeJD pic.twitter.com/l5uWb5ynQQ
The issue, described by Chainsecurity includes a read-only reentrancy vulnerability. Apparently, the value of one function in some Curve pools (which are often forked) could be manipulated during the removal of liquidity. The exploit was discovered in April 2022, however, the firm only released the report of it in October 2022, stating that they can now share the technical details “since all teams secured their projects”.