Disclosing a recently discovered vulnerability

A vulnerability was discovered in our CompoundImport contracts. All funds are safe.

Disclosing a recently discovered vulnerability

A vulnerability was discovered in our CompoundImport contracts. All funds are safe.

Earlier today a vulnerability in our importing contracts used for migrating Compound and Aave positions was disclosed to our team.

  • On January 5th, 01:15 GMT+1, we were contacted by the Dedaub team alerting us that they found an exploitable vulnerability in some of our contracts. Some 15 minutes later we were in a Zoom call with them sharing more details.
  • The team worked through the night to verify the presence of the vulnerability and potential next steps.
  • The presence of the vulnerability was confirmed in our CompoundImport and AaveImport contracts.
  • Our AaveImport smart contracts are newer and have a kill switch which has been utilized, meaning none of the users who imported Aave positions are at risk or affected in any way.
  • The users who imported Compound positions to a Smart Wallet were affected with their funds at risk, so we continued to prepare a whitehat action.
  • On January 5th, 18:20 GMT+1, funds (or rather full user Compound positions) from affected user accounts were moved to new Smart Wallets which are owned by the fund owners.
  • All affected users can now manage these new Smart Wallet positions and withdraw their funds if wanted at https://app.defisaver.com/.
  • No other parts of DeFi Saver were in any way affected. Automation is in no way affected.
  • Total value of funds at risk was around $3,5m.

As of now, all affected user positions have been migrated to new Smart Wallets for which the ownership has been given to the initial owners of these funds and positions.

The two available options for us after realizing user funds were at risk were to:

  1. Pay off user debts and withdraw remaining collateral funds to their accounts, or
  2. Fully migrate their positions without affecting them in any way.

We made the decision of going with the second option and keeping the user positions intact, as we believed this would be preferred by most, if not all.

If you ever imported a Compound position to a Smart Wallet, please login at https://app.defisaver.com/ to remove any approvals and check if any funds were transferred.

Most notable affected users with funds moved are:

  • 0xf69E… with close to $2m in cWBTC collateral
  • 0xB58… with $3,5m in cETH collateral

We are sorry for the inconvenience this has caused. For any additional questions or information, please feel free to contact us in our Discord or via Twitter.

Moving forward

This is unfortunately the second vulnerability discovered at DeFi Saver after the Exchange one in June 2020. That is two vulnerabilities more than what we ever wanted our users to be exposed to.

Moving forward we will be establishing formal bug bounties and conduct full audits which have already been planned for Q1 2021.

We’ll be sharing more information on this later.

As mentioned, for any questions or anything else please contact us in the DeFi Saver discord or via Twitter.