Full Report
Typus Finance on the Sui blockchain suffered a hack recently of about 3.44M USD. This article explains the vulnerability and the exploit itself. Typus Finance has an oracle that contained the following code: public fun update_v2( ... ) { // check authority vector::contains(&update_authority.authority, &tx_context::sender(ctx)); version_check(oracle); update_(oracle, price, twap_price, clock, ctx); } The code above attempts to update the price of an Oracle. The object UpdateAuthority contains a list of trusted updater addresses. The intention of vector::contains is to check that the caller is indeed trusted. The problem is that this doesn't revert the execution. It returns a boolean, and that's it. So, the access control check fails. What's the consequence of this? If you can update the price of the oracle, then you can manipulate the entire protocol. In functions like swap(), it utilizes the oracle to determine the price of the asset, rather than the standard constant-product formula. So, an attacker would simply drop the price of the asset and execute a highly discounted trade for the desired asset. They carried out this attack on 10 different pools to steal a substantial amount of funds. They then transferred the assets through CCTP to the Ethereum blockchain. The vulnerability is a classic case of mishandling errors. Similar to assert() not being enabled in production builds, this lets an invalid state get through. Good write-up!
Analysis Summary
# Incident Report: Typus Finance Oracle Manipulation Hack
## Executive Summary
Typus Finance, a DeFi protocol on the Sui blockchain, was exploited for approximately $3.44M USD due to a critical logical error in its oracle price update mechanism. The attacker leveraged a failed permission check that did not revert execution, allowing them to manipulate asset prices across 10 different pools. After devaluing assets, the attacker performed discounted trades and bridged the stolen funds to the Ethereum network via CCTP.
## Incident Details
- **Discovery Date:** October 16, 2024
- **Incident Date:** October 16, 2024
- **Affected Organization:** Typus Finance
- **Sector:** Decentralized Finance (DeFi)
- **Geography:** Global / Distributed (Sui Blockchain)
## Timeline of Events
### Initial Access
- **Date/Time:** October 16, 2024
- **Vector:** Exploitation of broken access control in the `update_v2` function.
- **Details:** The attacker identified that the `vector::contains` check in the Oracle's update function returned a boolean but lacked an `assert!` or `abort` statement to halt execution upon failure.
### Lateral Movement
- **Movement:** Systematic exploitation of 10 separate liquidity pools.
- **Details:** Once the attacker realized they could bypass the `update_authority` check, they repeated the price manipulation technique across multiple asset pools within the Typus Finance ecosystem.
### Data Exfiltration/Impact
- **Assets Stolen:** Approximately $3.44M USD worth of assets.
- **Exfiltration Method:** Stolen assets were converted and transferred to the Ethereum blockchain using the Cross-Chain Transfer Protocol (CCTP).
### Detection & Response
- **Detection:** Discrepancies in pool liquidity and oracle pricing were identified on-chain.
- **Response Actions:** Typus Finance engaged the SlowMist Security Team for investigation and tracing; an incident report and response plan were subsequently released.
## Attack Methodology
- **Initial Access:** Smart Contract Vulnerability (Broken Access Control).
- **Persistence:** Not applicable (Atomic transaction-based exploit).
- **Privilege Escalation:** Exploited a logic error where the code checked for "authorized" status but failed to enforce it, effectively granting administrative oracle privileges to any caller.
- **Defense Evasion:** None; the attack was conducted via public blockchain transactions.
- **Credential Access:** None; the vulnerability bypassed the need for credentials/authorized signatures.
- **Discovery:** On-chain reconnaissance of the `Typus Finance` smart contract source code.
- **Impact:** Financial theft through price manipulation (Oracle Manipulation).
- **Exfiltration:** Cross-chain bridging (CCTP) to move funds to the Ethereum network.
## Impact Assessment
- **Financial:** Estimated loss of $3.44M USD.
- **Data Breach:** None (Standard for DeFi; transaction history is public).
- **Operational:** Temporary suspension or disruption of affected liquidity pools and oracle services.
- **Reputational:** Significant impact on trust regarding the protocol's security audits and code quality.
## Indicators of Compromise
- **Network Indicators:** hxxps[://]suivision[.]xyz/txblock/6KJvWtmrZDi5MxUPkJfDNZTLf2DFGKhQA2WuVAdSRUgH (Exploit Transaction)
- **Behavioral Indicators:**
- Unauthorized calls to `oracle::update_v2`.
- Extreme price volatility in assets immediately preceding large `swap()` executions.
- Large-scale transfers via CCTP.
## Response Actions
- **Containment:** Coordination with ecosystem partners to track bridge movement.
- **Eradication:** Identification of the specific line of code in the Move contract causing the logic failure.
- **Recovery:** Development of a "Response Plan" for affected users and patching the contract to include proper `assert!` statements.
## Lessons Learned
- **Logic Handling:** In Move (and similar languages), functions that return booleans for security checks (like `vector::contains`) provide zero protection unless the result is passed into an `assert!` statement.
- **Code Review:** Routine audits must focus specifically on "silent failures" where a check is performed but the result is discarded.
- **Oracle Dependency:** Protocols relying on internal oracles for swaps rather than AMM formulas are highly susceptible to total loss if the oracle is compromised.
## Recommendations
- **Mandatory Assertions:** Ensure all permission validation logic uses `assert!(check, error_code);` to guarantee the transaction reverts on failure.
- **Unit Testing:** Implement "negative tests" that specifically attempt to call sensitive functions from unauthorized addresses to ensure they fail as expected.
- **Multi-layered Security:** Implement circuit breakers that pause the protocol if oracle prices fluctuate beyond a certain percentage within a single block.