Midas capital sees fishy flash loan activity
Blockchain security watch firm Certik Alert has revealed a cynical attack on Midas Capital. The firm added that the exploiter (0x1863…) gained 663,101 MATIC, worth $660,000 at the time of writing.
Midas Capital paused borrowing activities
On Jan.15, Midas Capital, a venture capital organization that funds and supports blockchain projects to their success, announced the pause of borrowing activities on the Jarvis Polygon pool.
Users were informed that the pause was due to an investigation of a suspicious transaction that involved a recently added collateral token (WMATIC_STMATIC).
WMATIC_STMATIC token was listed last week on the official Midas capital website with a supply cap of 250,000. The company discussed adding the token with its team (Jarvis network) to add new options for pool utilizers. Implementation of the supply caps was to the prevention of grand borrows against such Liquidity pool tokens and was yet enough.
Midas stated they had made a wrong judgment as they assumed that a pool comprised solely ERC20’s wrapped assets. It also believed that the previous re-entry attack wouldn’t affect them while using ‘raw call’ the chain’s native token.
Midas experienced the same event before launching BNB with Ellipsis when the company highly backed LP tokens as collaterals. The confidence of their oracle emanated from the Ellipsis, which had strictly ejected the ability to conduct ‘raw call’s’.
Jarvis Network had multiple bugs
Ancilia, a web three partner, stated that Jarvis Network had multiple bugs. Re-entry and jFIAT token price fixing are what lead to the loan benefit. The attacker utilized the chance for re-entry during the native token WMATIC in borrowing vast bulk. The whitecap hacker later spent 270k WMATIC as collateral and minted 131JFIAT tokens.
The attacker then generated another contract, utilized one of the ten borrowed amounts to liquidate the debt, and redeemed 103 jFIAT immediately after the price was forced and changed. There was a suspicious questionnaire with Midas price oracle. Nonetheless, the polygon implementing contract was the case of the problem.
After investigating the price oracle, Ancilia recognized a price calculation to get a virtual price function that depends on self D in storage slot 0x10. The self D value is usually 0x041a1ba29495fff4fab5bc; however, it is ten times larger when the attack happened.