Fulcrum had a $2.5m vulnerability over a month ago and still hasn’t told anyone

DeFi has the potential to provide access to financial services to billions of people. But it is also a young space and vulnerable to errors, occurrences which some parties are all too happy to exploit as proof that DeFi will never work. We feel compelled to disclose the interactions we had with the bZx/Fulcrum team to provide transparency to the community, avoid that more people will lose more money, and to ensure that faith in DeFi isn’t shattered because of the mistakes of individual actors.

Image for post
Image for post
We discovered a vulnerability in Fulcrum before hacking it became mainstream entertainment.

The Vulnerability

All started on January 11, 2020, when Fulcrum team released their own Flash Loans feature on the Ethereum Mainnet, and we happened to find a very critical vulnerability in it. We discovered that $2.5M of user funds from 3 pools could be stolen within a single transaction. We prepared our own smart contract to perform a white-hat hack to protect user funds. Since the vulnerable smart contract was published less than 48h before we discovered the issue, there was a very high chance malicious attackers could exploit it, and we wanted to assure that this wouldn’t happen.

Image for post
Image for post
Fulcrum FlashLoan 1-tx white-hat hack source code
Image for post
Image for post
Image for post
Image for post
Image for post
Image for post
Image for post
Image for post
  • Anyone could discover and investigate our proof-of-hack txs
  • We had a 1-click solution to rescue funds and our finger on the red button

Payoff

Bounty evasion

Finally, the fix was deployed on mainnet. But this story wasn’t over yet. We genuinely feel ashamed that after working through an anxiety-filled night with them, they basically tried to deny us any bounty reward. Please note that it’s usually industry practice to share a percentage of funds saved, while here they are trying to deny us anything based on a technicality.

Image for post
Image for post
Pointing us to a bug bounty program with up to $5k tiers

The Audit Hustle

Then the Fulcrum team tried to order a security audit from us for only the FlashLoan feature. We proposed a $2k price for 1-week audit by three people. They wanted to push the price down to price to a $1.5k because they thought it is just 30 lines of code and no need to check any other code (we do not agree with them).

Image for post
Image for post

The third insult is the charm

Finally, the Fulcrum team proposed us to make this audit as part of the original $5k bounty, wow!

Image for post
Image for post
Image for post
Image for post

The cover-up

After all this, it still got worse. Instead of disclosing the incident to the community as promised, the strategy was now to cover-up. They tried to use the $3.5k to silence us and hide the whole thing. The right thing would have been to share it with their users and community so they can decide whether they want to continue entrusting their money to code that the Fulcrum team released.

Image for post
Image for post

Two more insults

We were anxious about user funds and tried to help Fulcrum not to sink, while the Fulcrum team was more concerned about their own company instead of user funds, which was possible during a total of 16 hours! If we knew about the 12 hours timelock before reporting to the team, we would have white-hacked all the funds to protect them from being stolen by a malicious attacker.

Image for post
Image for post
Image for post
Image for post

Written by

DEX Aggregator with the best prices on the market. Achieving best rates by splitting orders among multiple DEXes in one single transaction.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store