Full Report
In November of 2022, BlockSec sounded the alarms: funds had been successfully drained from SushiSwap. They contacted the Sushi security team to try to remediate the situation. There are functional bugs within smart contracts, like reentrancy and integer overflows. A large amount of the vulnerabilities are accounting bugs that come from messing up the math. The borrow() function has the modifier solvent to check to see if it's above water. If it's not, then the transaction will revert. This is compared against the exchangeRate. Of particular importance is that this variable is mistakenly NOT upgraded in this function call. In liquidate, the updating for the exchangeRate is done in the beginning of the function. If two prices are different between withdrawal and deposit, this can be a major case for exploitation. The exploit steps are pretty straight forward for this. The attacker used a flash loan to amplify the calculation difference. In particular, the exchange rate in the borrow function was 250 * 10^27. On the liquidate function the exchange rate was 328 * 10^27. By borrowing at one rate then liquidating at another, they were able to make a huge profit off of this. I'm guessing that the hacker was sitting on a large price difference for a while in order to exploit this bug. Overall, an interesting yet simple bug. Gotta do better than this!
Analysis Summary
# Vulnerability: Stale Exchange Rate Logic Bug in SushiSwap KashiPair
## CVE Details
- **CVE ID**: Not explicitly assigned (DeFi protocol logic bug)
- **CVSS Score**: Estimated 7.5 (High)
- **CWE**: CWE-682: Incorrect Calculation; CWE-1164: Irrelevant Code (Logic Error)
## Affected Systems
- **Products**: SushiSwap Kashi Lending Platform, BentoBox-based pools, and various forks.
- **Versions**: `KashiPairMediumRiskV1` and `CauldronMediumRiskV1` (Ethereum and BSC implementations).
- **Configurations**: Any pool utilizing these specific smart contracts for collateralized borrowing.
## Vulnerability Description
The vulnerability is a logic flow error related to price oracle synchronization. In the `KashiPairMediumRiskV1` contract, the `borrow()` function utilizes a `solvent` modifier to ensure the user has enough collateral. This modifier calls `_isSolvent`, which relies on the state variable `exchangeRate`.
The flaw exists because the `borrow()` function fails to trigger an update to the `exchangeRate` before performing the solvency check, meaning it uses a stale price. Conversely, the `liquidate()` function calls `updateExchangeRate()` at the very beginning of its execution. An attacker can exploit this discrepancy by borrowing assets based on an old (favorable) price and immediately liquidating themselves (or being liquidated) based on the current (true) market price, extracting the value difference as profit.
## Exploitation
- **Status**: Exploited in the wild (November 2022).
- **Complexity**: Medium
- **Attack Vector**: Network (Smart Contract Interaction)
- **PoC**: Demonstrated via transaction `0xcf...fe58`. The attacker used a flash loan to provide collateral, borrowed at a stale rate (approx. 250 * 10^27), and liquidated at the updated rate (approx. 328 * 10^27).
## Impact
- **Confidentiality**: None
- **Integrity**: High (Manipulation of internal accounting and fund balances)
- **Availability**: High (Can result in the draining of pool liquidity/assets)
## Remediation
### Patches
- SushiSwap and affected forks have deployed updated versions of the Kashi contracts that ensure `updateExchangeRate()` is called in all functions that perform solvency checks or modify balances.
### Workarounds
- **Manual Updates**: Projects can periodically or occasionally invoke the `updateExchangeRate` function via a bot/keeper to minimize the price deviation window.
- **Liquidity Migration**: Users were encouraged to move funds to patched versions of the pools.
## Detection
- **Indicators of Compromise**: Rapid sequences of `addCollateral` -> `borrow` -> `liquidate` within a single transaction, especially when accompanied by flash loans from providers like Balancer.
- **Detection Methods**: Monitoring for transactions that result in high "slippage" or profit through self-liquidation on Kashi-style contracts.
## References
- SushiSwap Kashi Documentation: [https://docs.sushi.com/docs/Developers/Bentobox/KashiPairMediumRiskV1](https://docs.sushi.com/docs/Developers/Bentobox/KashiPairMediumRiskV1)
- Analysis by BlockSec: [https://blocksecteam.medium.com/beyond-the-market-risk-a-logic-bug-identified-in-sushiswaps-kashipairmediumriskv1-contract-80ead49d8d6d](https://blocksecteam.medium.com/beyond-the-market-risk-a-logic-bug-identified-in-sushiswaps-kashipairmediumriskv1-contract-80ead49d8d6d)
- Exploit Transaction: [https://etherscan.io/tx/0xcf8f242ea83100b6d43e659f7f53a698d304fc6ac2ca6fe79e3e07ee05fefe58](https://etherscan.io/tx/0xcf8f242ea83100b6d43e659f7f53a698d304fc6ac2ca6fe79e3e07ee05fefe58)