Full Report
TrueUSD is a stablecoin backed by the USD dollar. Recently, ChainSecurity did an audit of the Compound cToken contract, which uncovered a new vulnerability. The concept of Double-Entry Point Tokens is having several contracts that both interact with the same balances. In the case of TrueUSD, this was the case because of a previous legacy version. Practically, the legacy contract just forwards any calls to the primary contract; altering the price in one should alter the price of the other. Works perfectly! The Compound protocol has cTokens. These are the liquidity provider tokens from the protocol. Within Compound, a function called sweepToken was implemented. This is for rescuing funds that were accidentally sent to a contract managing a specific underlying token. This function can called by anyone but the tokens are sent to the admin so it shouldn't matter. sweepToken has a sanity check to ensure that the address of the token we are trying to recover does NOT equal the underlying token of the cToken contract. This is because being able to send out arbitrary tokens that back the cToken contract would destroy the protocol. Remember how there are TWO entry points with TrueUSD though? Since either of these addresses can be specified in the sweepToken call, we can bypass this sanity check with the legacy version address. This means that the entirety of the balance of the underlying token can be sent to the Admin. Why is this bad? Finance calculations! The exchange rate of the cTUSD is as follows: (totalCash + totalBorrows - totalReserves) / totalSupply The variables above are: totalCash:T otal amount of TUSD in the contract. totalBorrows: Amount of TUSD currently borrowed from the contract. totalReserves: Amount of TUSD that belongs to the protocol. totalSupply: Amount of TUSD that has been minted. With our attack, we can force the totalCash to become 0 for TUSD in the contract. Since we are drastically changing the price of the token by doing this, an attacker can profit from it! The author gives a few ideas on how to do this: Liquidate users who provided TUSD as collateral for their loans. Borrow TUSD, execute the attack, then pay back less TUSD for the loan because of the new low exchange rate. Execute the attack to mint cTUSD. When the funds are returned to the contact, rdeem the cTUSD for a profit. TUSD cannot be used as collateral so option 1 doesn't work. Option 2 would have yielded a 12% gain without any user interactions, giving a 3.1 million dollar profit. Option 3 would have worked, since the price of cTUSD would have increased once the funds had been sent back. However, this would have required user interaction, which sucks for an attacker. This vulnerability was fixed by putting admin privileges on the sweepToken function. Additionally, TrueUSD removed the second entry point. According to the authors of the post, the better solution would have been a sanity check on the underlying balance of the contract before and after the transfer though. Overall, a very novel vulnerability that is something to look out in the future when interacting with a contract with multiple entry points.
Analysis Summary
# Vulnerability: Compound cToken Double-Entry Point Logic Error (TUSD)
## CVE Details
- **CVE ID**: Not explicitly assigned (DeFi protocol logic error)
- **CVSS Score**: Estimated 7.5 - 8.2 (High)
- **CWE**: CWE-670: Always-Incorrect Control Flow Implementation / CWE-841: Improper Enforcement of Behavioral Workflow
## Affected Systems
- **Products**: Compound Protocol (cToken contracts)
- **Versions**: cTUSD (Compound TrueUSD) implementation prior to March 2022
- **Configurations**: Tokens with multiple entry points (proxies or legacy wrappers) used as underlying assets in lending pools.
## Vulnerability Description
The flaw resides in the `sweepToken` function of the Compound cToken contract. This function was designed to "rescue" tokens unintentionally sent to the contract by transferring them to an admin address. To prevent draining the protocol's actual collateral, a sanity check ensures the token being swept is not the `underlying` token of the cToken.
However, TrueUSD (TUSD) utilized two entry points: a primary contract and a legacy contract that forwards calls to the primary one. Because both addresses interact with the same balance pool, an attacker could call `sweepToken` using the **legacy** TUSD address. The sanity check would pass (since the legacy address != the primary underlying address), but the contract would then transfer the entire TUSD balance (`totalCash`) to the admin.
## Exploitation
- **Status**: PoC available (Identified during audit by ChainSecurity)
- **Complexity**: Medium
- **Attack Vector**: Network (Smart Contract Interaction)
While the funds are sent to an admin (reducing the risk of direct theft), the removal of `totalCash` drastically lowers the cTUSD exchange rate:
`Exchange Rate = (totalCash + totalBorrows - totalReserves) / totalSupply`
An attacker could exploit this price manipulation by:
1. Borrowing TUSD before the sweep.
2. Executing the sweep to crash the exchange rate.
3. Repaying the loan at the artificially low rate (estimated 12% profit).
4. Minting/Redeeming cTUSD across the price fluctuation.
## Impact
- **Confidentiality**: None
- **Integrity**: High (Manipulation of financial calculations and exchange rates)
- **Availability**: High (Can temporarily "disable" the contract's liquidity)
## Remediation
### Patches
- **Compound**: Updated the `sweepToken` function to be `onlyAdmin`, preventing unauthorized users from triggering the transfer.
- **TrueUSD**: Deprecated and removed the secondary legacy entry point to prevent double-entry point confusion.
### Workarounds
- Implement "Balance Check" guards: Verify the underlying token balance before and after any token sweep to ensure the primary collateral remains untouched.
## Detection
- **Indicators of Compromise**: Unexpected calls to `sweepToken` involving addresses that mirror existing collateral balances.
- **Detection Methods**: Monitoring for "Double-Entry Point" tokens (proxies/upgradable tokens) via static analysis of token registries.
## References
- ChainSecurity Audit: [https://chainsecurity.com/security-audit/compound-ctoken/](https://chainsecurity.com/security-audit/compound-ctoken/)
- OpenZeppelin Retrospective: [https://blog.openzeppelin.com/compound-tusd-integration-issue-retrospective/](https://blog.openzeppelin.com/compound-tusd-integration-issue-retrospective/)
- Original Article: [https://medium.com/chainsecurity/trueusd-compound-vulnerability-bc5b696d29e2](https://medium.com/chainsecurity/trueusd-compound-vulnerability-bc5b696d29e2)