Full Report
Three major hacks took place in a single day, resulting in millions of dollars being stolen. The first vulnerability was in Rabby Swap. The contracts router function had the function functionCallWithValue with arbitrary parameters passed to it. This allowed for a user to pass in an arbitrary set of arguments and an arbitrary function as the router. Using this vulnerability, they were able to call swap from the context of the router contract. Using this, previous approvals from other users could be abused to steal all of the money from their wallets. Apparently an audit took place but completely missed this issue. The Template DAO hack was really simple. The function migrateStake had no access controls. Additionally, the previous function did not verify the source address or stake value of the old address. As a result, an attacker could call the contract with a fake old address and stake value, mint their tokens and drain the entire contract. Finally, the Mango Market was hacked, which is just a trading platform. A flash loan was used to inflate the price oracle of the Mango token from 30 cents to 91 cents. Since this increased the value of the attackers collateral, they could borrow even more funds from the protocol. Why is this increase in price so bad? By taking out a massive loan, with the inflated collateral, they could drop the price of the token bad down, they just abandoned the collateral and took the loan For Mango Markets, the crazy part is that the hacker came out and said they would keep some of the funds as a bug bounty payment but he was using the protocol as expected. Even though this is obviously not true, how do you define expected vs. unexpected functionality with a finance market? The guy kept $45 million and the person is public knowledge. Overall, three interesting hacks that led to $100 million being stolen. Super interesting!
Analysis Summary
# Incident Report: DeFi "Hat Trick" Exploits
## Executive Summary
On October 11, 2022, three separate Decentralized Finance (DeFi) protocols—Rabby Swap, Temple DAO (Stax), and Mango Markets—suffered major exploits on the same day, resulting in the theft of over \$104 million in digital assets. The incidents exploited vulnerabilities ranging from flawed contract logic (lack of access control and arbitrary function calls) to manipulated price oracles via flash loans. The incidents highlight the critical need for rigorous security auditing and robust control mechanisms in DeFi.
## Incident Details
- **Discovery Date:** October 11, 2022 (Discovered based on asset loss reports)
- **Incident Date:** October 11, 2022
- **Affected Organization:** Rabby Swap, Temple DAO (Stax), Mango Markets
- **Sector:** Decentralized Finance (DeFi)
- **Geography:** Decentralized/Global (Blockchain-based protocols)
## Timeline of Events
### Initial Access
- **Date/Time:** October 11, 2022 (Specific times not provided, but occurred on this day)
- **Vector:** Vulnerable Smart Contract Functions & Market Manipulation
- **Details:**
1. **Rabby Swap:** Attacker exploited a flawed `functionCallWithValue` within the router function, allowing arbitrary function execution from the router's context.
2. **Temple DAO (Stax):** Attacker leveraged the `migrateStake` function which lacked access controls and verification of the source address or stake value.
3. **Mango Markets:** Attacker used a flash loan to artificially inflate the price oracle feeding the Mango token value.
### Lateral Movement
- **Rabby Swap:** The exploit abused *previous user approvals* across various wallets to drain funds initiated by the initial compromised context within the router.
- **Temple DAO:** The attacker bypassed controls to mint new tokens linked to a fake address, effectively moving value from the contract pool to their control.
- **Mango Markets:** The attacker used the inflated collateral value to borrow massive amounts of funds from the protocol.
### Data Exfiltration/Impact
- **Rabby Swap:** \$200,000 in tokens stolen by abusing external user approvals.
- **Temple DAO (Stax):** Entire contract value drained after minting tokens using fake data.
- **Mango Markets:** Approximately \$100 million stolen by borrowing against inflated collateral and then abandoning the collateral.
### Detection & Response
- **Detection:** Incidents were identified through on-chain monitoring of massive fund transfers/asset depletion.
- **Response:** The article does not detail explicit, synchronized response actions (containment/eradication) for all three projects, though the Mango Markets attacker publicly made statements regarding retention of funds. A potential fourth hack involving ParaSwap was investigated and dismissed as a false positive.
## Attack Methodology
The attacks showcased three distinct attack vectors prevalent in DeFi:
| Incident | Initial Access Vector | Impact Method |
| :--- | :--- | :--- |
| **Rabby Swap** | Bypassing function parameter validation (`functionCallWithValue`) in router. | Abusing existing user allowances/approvals to drain authorized balances. |
| **Temple DAO (Stax)** | Directly calling critical function (`migrateStake`) without authorization checks. | Unauthorized token minting based on fabricated stake data, followed by draining minted assets. |
| **Mango Markets** | Extreme market manipulation (Flash Loan). | Inflating collateral value to borrow disproportionately large loans, then defaulting on the loan (collateral abandonment). |
## Impact Assessment
- **Financial:** Over \$104 million stolen across the three protocols.
- Rabby Swap: ~$200,000
- Temple DAO: Undisclosed (entire contract drained)
- Mango Markets: ~$100 million
- **Data Breach:** Minimal personal data breach implied; impact is financial asset compromise.
- **Operational:** Significant operational disruption and loss of trust for affected DeFi protocols.
- **Reputational:** Major negative impact on user trust within the DeFi ecosystem, underscored by the public nature of the Mango Markets exploit details.
## Indicators of Compromise
*Note: As these are on-chain smart contract exploits, IoCs are transaction hashes and exploited functions.*
- **Network Indicators (Defanged):** N/A (Blockchain transactions, not traditional network connections)
- **File Indicators:** N/A
- **Behavioral Indicators:**
- Unauthorized external calls originating from a router contract context (Rabby Swap).
- Calls to upgrade/migrate functions without verifying caller identity or input parameters (Temple DAO).
- Rapid, large-scale flash loans correlated with extreme, temporary price oracle spikes (Mango Markets).
## Response Actions
The provided context focuses on the *nature* of the attacks rather than structured organizational response steps (Containment, Eradication, Recovery).
- **Containment Measures:** Not detailed, but would typically involve pausing vulnerable contracts or blocking further asset drainage.
- **Eradication Steps:** Not detailed.
- **Recovery Actions:** Not detailed, but implied high cost associated with compensating users and restoring liquidity.
## Lessons Learned
- **Audit Failures:** A significant security audit failed to identify a critical path vulnerability in Rabby Swap's router function.
- **Importance of Access Control:** Temple DAO's exploit highlights that functions capable of minting new tokens or migrating state absolutely require strict authorization checks.
- **Oracle Security is Paramount:** Price oracle manipulation remains a highly effective attack vector against lending/borrowing platforms like Mango Markets.
- **False Positives:** Security incident reporting must be verified before public dissemination (ParaSwap incident).
## Recommendations
- Implement formal, comprehensive multi-stage security audits focusing intensively on logic flows, access controls, and interaction with external price feeds/oracles.
- Review and minimize standing user allowances/approvals granted to smart contracts (to limit potential impact from future router exploits).
- Utilize secure, decentralized, and robust price oracle solutions (e.g., time-weighted averages or volume-weighted averages) rather than simple single-point reporting prone to flash loan manipulation.