TL;DR

On November 23, 2022, the Numbers Protocol ($NUM token) on the Ethereum chain was attacked, resulting in the loss of approximately $13,836.

Introduction to Numbers Protocol

Numbers Protocol is the asset-driven, decentralized protocol that makes digital media traceable and verifiable via its ecosystem processes.

Vulnerability Assessment

The root cause of the vulnerability is because the NUM token was incompatible with the Multichain, a cross-chain router protocol.

Steps

  1. The NUM token lacked a permit function required by the Router protocol.

  2. However, it did have a default callback function, which allowed forged signature to be passed in to trick the cross-chain bridge into transferring the user's assets.

  3. We investigated one of the attack transaction carried out by the hacker.

  4. The attack was front-run by a bot, which paid the builder approximately 10 ETH out of the entire profit.

  1. The attacker created a fake anyToken using the attack contract which use $NUM as its underlying token.

  2. The attacker then called the anySwapOutUnderlyingWithPermit function of the Multi-Chain Router contract to drain 557,754.45000198 $NUM tokens from one of the victim user.

  1. This function should generally pass in token, and call the permit function of the underlying token for signature approval, before exchanging the token of the authorized user to the specified address.

  2. In this case, since the $NUM token contract didn’t have a permit function, but it did have a callback function, which means that when an attacker sent in a fake signature, the callback function would return normally, so the transaction wouldn't fail.

  3. Eventually, this allowed the $NUM token at the victim address to be transferred to the specified attack contract.

  4. The attacker then used Uniswap to convert the profitable $NUM tokens into $USDC and then into WETH to collect their remaining rewards.

Aftermath

The team published a statement acknowledging the situation as a critical issue with the multi-chain bridge. They also advised $NUM users to disconnect wallet to multi-chain swaps and avoid those services until the issue is clarified.

A later post-mortem report from the team stated that the NUM token contract will be upgraded to prevent similar attacks in the future.

How to prevent such an attack vector

The exploit could have been avoided to a greater extent had the victim user revoked their unrestricted permission to the Multichain. This issue is a follow up to a similar incident on the Multichain which caused a loss of approximately $1.4 million.

Protocol, and Platform Security

Our security team at Neptune Mutual can validate your platform for DNS and web-based security, smart contract reviews, as well as frontend and backend security. We can offer you a solution to scan your platform and safeguard your protocol for known and unknown vulnerabilities that have the potential to have catastrophic long-term effects. Contact us on social media if you are serious about security and have the budget, desire, and feeling of responsibility to do so.

Reference Source
Numbers Protocol