Summary

Whitehat Wen-Ding Li reported a vulnerability in Mushrooms Finance classified as “high” to Immunefi on April 27. The vulnerability was a theft of yield, but the attack was not a flash loan. Rather, the attack was an MEV (miner-extractable value) attack with flash bots, which is similar but distinct from a flash loan.

Regrettably, the vulnerability was exploited twice (block 12312954 (~0.0345 eth) and block 12319752 (~0.0504 ETH)) prior to Wen-Ding Li’s report, leading to a loss of ~$222 in total. Mushrooms Finance has since patched the vulnerability. If this attack had not been mitigated swiftly by Mushrooms, it would have been repeatable.

Mushrooms Finance has paid a bounty of $4,000 USDC to whitehat Wen-Ding Li for the report.

Vulnerability Analysis

Theft of yield vulnerabilities occur when an attacker finds a way to steal the yield (not original user funds) generated from some on-chain financial activity like staking. This particular theft of yield is somewhat different from a normal theft of yield attack, where a harvest function (the function that distributes the yield) can be called by an external entity during a flash loan. Mushrooms Finance has an effective, pre-existing mitigation against this classic flash loan attack by requiring that the caller of the harvest function be an externally owned account, that is, a wallet and not a smart contract.

This particular vulnerability was an MEV searcher sandwich attack made easier by the existence of flash bots.

An MEV searcher creates a “bundle” and sends it to the flash bot as a sequence of transactions that must execute exactly in order for the miner to receive the bribe.The MEV searchers look in the mempool for transactions that are vulnerable to market manipulation, such as frontrunning .then they make a transaction which distorts the relevant pool using their own assets (which is similar to but distinct from a flash loan). A flash bot MEV searcher forces a set of transactions to occur in a particular sequence — e.g. two transactions which sandwich the victim transaction in the middle, where the victim transaction is the harvest function.

The step by step execution of the attack is as follows:

1. In the first transaction, the MEV searcher uses their own funds, not a flash loan, to distort the price of the Uniswap pool. https://etherscan.io/tx/0xec730c75c3b95debc6fb83216661d7832d2a761a1883c0c6b7593d33a860780c
2. In the second transaction, the Mushrooms harvest occurs. This is a normal transaction that is being called by the Mushrooms finance deployer. The malicious ordering happens due to the flash bot miner. https://etherscan.io/tx/0xa0ac048a8109e20c853da140c123f46f8a758fd8021978ff5f1fa749babbc70f
3. In the third transaction, the MEV searcher returns the Uniswap pool to its undistorted state, obtaining a portion of the Mushrooms harvest. https://etherscan.io/tx/0x7ae34b797960cf6cbe2fac97f986482d5594896fc441414458da688ca6ed98cd
4. The MEV searcher pays a bribe to the flash bot miner (but only if the preceding transactions executed successfully). This usually happens as part of the same transaction as 3.

Vulnerability Fix

Mushrooms Finance has configured its keep3r to run harvests more frequently, as merely adding permission requirements on the harvest function and adding EOA requirements are insufficient. Keeping harvests small but frequent makes it economically unprofitable for MEV searchers to perform this attack because the size of the swap required to distort the Uniswap pool incurs more swap fees than the profit from the harvest.

Acknowledgements

We want to thank Mushrooms Finance for their work in patching the vulnerability and paying out a bounty to whitehat Wen-Ding Li. To report additional vulnerabilities, please see Mushrooms Finance’s bug bounty program with Immunefi.

If you’d like to start bug hunting, we got you. Check out the Web3 Security Library, and start earning rewards on Immunefi — the leading bug bounty platform for web3 with the world’s biggest payouts.

If you’re interested in protecting your project with a bug bounty, visit the Immunefi services page and fill out the form.

References

[1] Mushrooms Finance audits: https://github.com/mushroomsforest/deployment/blob/main/security.md#existing-audits

[2] Dedaub team report on similar issue: https://medium.com/dedaub/yield-skimming-forcing-bad-swaps-on-yield-farming-397361fd7c72