Full Report
Armour DeFi has a insurance coverage-like functionality. A user with coverage can make a claim after suffering some event covered under the policy. An ETH is worth 10^18 WEI. When dealing with money in Solidity, for functions such as msg.sender.transfer, the amount to specify should be in WEI. When making a payout, the amount specified was in WEI. However, the developer thought that it was in ETH. Hence, they multiplied by 10^18, even though it was already in WEI. This results in a crazy large payout that should be possible. This vulnerability was discovered a few hours after the bug bounty program amount increased, which means the program is working as intended! This bug had not been sent to production yet but would have resulted in a major hack if it would have been. How was this not found in testing? This is basic functionality testing that should have test cases for it. Sometimes, all of these products just feel like scams.
Analysis Summary
# Morning News Roll-up March 05, 2025
## Overview
Today's report highlights a critical vulnerability discovered in the Armor DeFi protocol prior to its production deployment. The flaw, involving a fundamental unit conversion error in smart contract code, could have allowed for a total protocol wipeout. The incident underscores the efficacy of high-value bug bounty programs in securing decentralized finance platforms.
## Top Stories
### Armor DeFi Critical Unit Conversion Bug
- Summary: A critical vulnerability was discovered in Armor’s `ClaimManager.sol` contract where payment amounts were redundantly multiplied by 10^18. This error occurred because the developer incorrectly assumed the input was in ETH when it was already in WEI. An attacker with minimal coverage could have triggered a payout $10^{18}$ times larger than intended, potentially draining the entire coverage pool. The bug was caught via a bug bounty program before the code reached production.
- Source: hxxps://medium[.]com/immunefi/armor-bugfix-review-6cdc579be8a0
### Immunefi Facilitates Record Payout Preventative Disclosure
- Summary: Security researcher Alexander Schlindwein identified and reported the Armor DeFi vulnerability following a significant increase in the project's bug bounty valuation. The timely disclosure through the Immunefi platform prevented a "total wipeout" of the protocol's assets. The bounty reward at the time of publication was valued at approximately $876,000 USD.
- Source: hxxps://armor[.]fi/
### Sky (formerly Maker) Remote Code Execution Bugfix
- Summary: Immunefi has released a review of a Remote Code Execution (RCE) vulnerability within the Sky protocol ecosystem. The review details the technical nature of the bug and the collaborative remediation process used to secure the platform.
- Source: hxxps://medium[.]com/immunefi/sky-remote-code-execution-bugfix-review-9bfbeb8c1c17
---
# Armor DeFi Smart Contract Critical Vulnerability
A critical logic error in the Armor DeFi insurance coverage platform's claim processing contract would have allowed users to withdraw astronomically more funds than they were entitled to, leading to a total loss of protocol liquidity.
## Key Points
- **Nature of Flaw:** A redundant unit conversion in the smart contract logic.
- **Technical Detail:** In Solidity, `msg.sender.transfer` expects values in WEI. The variable `_amount` was already provided in WEI, but the code multiplied it by $10^{18}$ (the conversion factor for ETH to WEI), resulting in a payout $1,000,000,000,000,000,000$ times larger than the correct amount.
- **Economic Impact:** A single dollar of insurance coverage could have been used to drain all available assets in the pool.
- **Discovery Context:** The bug was found by Alexander Schlindwein (CTO of Ideamarkets) shortly after Armor increased its bug bounty to 1,000,000 $ARMOR tokens (valued at ~$1.5M at the time).
## Threat Actors
- **Proactive Researchers:** Alexander Schlindwein (Security Researcher/Whitehat).
- **Potential Exploiters:** While no active exploitation occurred in the wild, the vulnerability would have been highly attractive to financially motivated threat actors targeting DeFi liquidity pools.
## TTPs
- **Smart Contract Logic Exploitation:** Leveraging flaws in the mathematical logic of the contract code.
- **Integer Overflow/Incorrect Scaling:** Utilizing incorrect decimal precision to inflate withdrawal amounts.
- **Pre-deployment Discovery:** The vulnerability was identified in the code audit/bounty phase before being pushed to the mainnet.
## Affected Systems
- **Platform:** Armor DeFi
- **Contract:** `ClaimManager.sol` (specifically Line 62)
- **Technology:** Ethereum / Solidity Smart Contracts
## Mitigations
- **Code Remediation:** Line 62 (`uint256 payment = _amount * 10 ** 18;`) was deleted to ensure the transfer used the original WEI value.
- **Rigorous Testing:** Implementation of unit tests specifically designed to verify decimal scaling and unit consistency (WEI vs. ETH).
- **Bug Bounty Programs:** Utilizing platforms like Immunefi to incentivize external security researchers to review code before production deployment.
- **Code Audits:** Formal verification of smart contract logic regarding financial transfers.
## Conclusion
This incident serves as a primary example of how minor coding oversights in DeFi—specifically regarding unit denominations—can lead to catastrophic financial risk. The successful discovery and remediation of this bug validate the importance of bug bounty programs with high-value incentives. Organizations should ensure that all financial functions, especially those involving `transfer` or `call`, undergo strict peer review and automated testing for unit consistency.