Full Overview of Nimbus Liquidity Attack and Implemented Solutions
Hello Nimbus Community,
Today we have an important update for you regarding the latest events at NBU swaps covered in this post: https://nimbusplatform.medium.com/provided-liquidity-and-token-value-update-6c6d3616f000 .
We are committed to being as transparent as possible. So below, you will find a very detailed description of what has happened and how Nimbus has fixed the situation — including how the team will make up for the potential losses of Liquidity Providers in the nearest time.
What happened at NBU Swaps on March 1, 2021?
As shared before, we’ve gone through an attack by an arbitrage smart contract.
But what our analytics have been struggling to understand is how could that smart contract achieve such results and deplete almost all liquidity in a matter of several minutes?
Usually, it takes many transactions to achieve that and these transactions are stretched over a much longer period of time. But in our case, it all happened in an instant. Why?
We’ve been searching for an answer for the past several days non-stop. And the great news is — we’ve found it!
Our analysis showed that even after the audit of the Nimbus smart contracts by Zokyo, there was a single zero missing. And as insignificant as it may seem, it has caused this situation to escalate a lot.
Here’s how the Liquidity attack unfolded, step-by-step:
1) On March 1, 2021, at 3:15:17 AM UTC, the following address 0x3a518964ff40ee733d30749a213d2e5c9ffb2b8c, presumably, made the initiating transaction, inserting 1.994E-15 NBU to the ETH-NBU swap pair on Nimbus Swap.
2) After that, there was a liquidity withdrawal from the ETH-NBU pair on Nimbus Swap in the amount of 516.9 ETH and 597712.9 NBU. Notably, this happened without the participation of the Nimbus LP tokens. Such tokens are issued to all Nimbus Liquidity Providers when they provide Liquidity at Nimbus Platform and are required for Liquidity withdrawal. But in this case, the liquidity has been withdrawn without the use of such tokens — and this is where the anomalies begin.
3) Then, this process was repeated several times by other addresses.
4) As a result, not only the NBU token value and the liquidity volume got affected by sweeping arbitrage activities — but also, 90% of liquidity from NBU pairs of the Nimbus internal Swap machine were withdrawn in several transactions.
How did a missing zero in Nimbus smart contracts — unnoticed even by the auditors — affect the situation?
At the testing stage of the Nimbus smart contracts, no vulnerabilities have been identified. Moreover, the external technical audit also hasn’t identified any errors and confirmed that the Nimbus Platform is fully functional and safe.
But in the latest investigation initiated by the Nimbus team itself, we detected an error in the code. Below, you can find a detailed technical explanation:
In order to calculate balance0Adjusted and balance1Adjusted in lines 405 and 406 of the Factory.sol contract, 10,000 bits must have been used — and this was done correctly. However, in order for the smart contract to be able to check if the new volumes correspond to the basic smart contract algorithm, the same 10,000 bits also must have been used in line 407. But as a result of an error, “1,000” bits were used there instead of “10,000”.
As a result, this single missing digit allowed the malicious smart contracts to match its arbitrage attack with the further withdrawal of liquidity.
We fully understand and acknowledge that the responsibility for this event lies on the Nimbus team. We have already fixed it and are about to deliver assets back to Liquidity providers. Here is how:
1) First of all, the Nimbus team will reimburse liquidity to respective Liquidity Providers in full. You can be sure that we shall not let any malicious third-parties damage your well-being!
2) Second, the identified vulnerability has already been fixed. The new version of the smart contracts is published on our GitHub — hence the need for Nimbus Platform maintenance between 7 and 8 AM CET on March 4.
Now that this maintenance is over, you can add your Liquidity to the Platform again and be at ease knowing that everything functions as it should.
Here is our GitHub link for your convenience: https://github.com/nimbusplatformorg.
3) Finally, as already announced, we have activated our notification system for Liquidity Providers. From now on, it protects their assets at times of potential attacks and other risky situations in the market that our ongoing analytics detect.
Moreover, we’ve revised our approach to development and testing to avoid similar situations in the future:
1) From now on, we will enable everyone to test our code once we’re finished with the internal testing. This will be done via Bug Bounty programs — where participants can test code performance and receive rewards if they find bugs!
2) Also, our process of interaction with external auditors has undergone significant changes. From now on, we shall introduce a much higher number of testing and audit rounds and do that in a more diversified manner. It should let our users feel — and be! — safe in all situations following this event.
Finally, we have already started working closer with Liquidity Providers and Swap users to ensure a more sustainable market for NBU. This should organically balance up any nasty market conditions in the future.
As mentioned in our previous post here https://nimbusplatform.medium.com/provided-liquidity-and-token-value-update-6c6d3616f000 , this event has become possible first and foremost due to the fact that the NBU market is growing very fast and is still in its development phase. While this creates lots of beneficial opportunities for market participants, it also creates instability and risks of such events. Why? Because the market is still very agile and responsive to “big” players, such as the current attackers.
However, given Nimbus’ recent success with attracting more than $3,000,000 in liquidity for the internal Swap machine and more than $300,000 to Uniswap — as well as boosting daily transaction volume to more than $500,000 — we’re surely on the right track! We just need to get used to such growth.
In particular, we need to ensure more stable activity on behalf of Swap users and more solid and coordinated support from Liquidity Providers. These conditions will balance up any market activities and ensure a healthy trend both in the short- and in the long-run.
All in all, with all the conclusions we’ve made and all the new practices we’ve put in place — we’ve become much much .. much! more resilient. Now, we’re ready to face many other malicious market situations, if needed — and withstand them based on this experience! But the good news is that our new practices minimize the possibility of their occurrence as much as possible.
Remember, what doesn’t kill you — makes you stronger. So you can be confident that the future is now even brighter than it was for Nimbus and all its users!
Thank you for going through this with us, and be sure to anticipate hearing more amazing news from us soon!
About Nimbus Platform
Nimbus is a DAO-governed ecosystem of dApps which generate multiple revenue streams based on real-world use cases — from P2P lending to IPOs & Crowdfunding.