Full Report
Nereus Finance is a lending / borrowing protocol. This allows users to deposit their tokens to earn interest on them and borrow funds from this protocol. Why would somebody want to borrow assets if they can't be under-collateralized? In the case of this protocol, the NXUSD token is a stable coin alternative to USDC. The main way to obtain NXUSD is by borrowing it. For NXUSD, the main purpose of the token is staking it; this means giving a token for somebody else to use in order to earn rewards on it. A liquidity pool (LP) is the main method for exchanging one token for another. An LP consists of one or more tokens. When putting your own funds into the pool, you receive a pair or LP token. This can be used to stake, collateral or many other things. In the case of this project and hack, the pool is USDC-WAVAX and this gives back the JLP token. When calculating the price of a liquidity pool, the price is strictly dependent on the ratio between the tokens in the pool. For instance, if there was a 1:1 ratio, trading for one token would give you an equal amount of the other one. If it was 2:1, then trading for two of one token gets you a single token of the other. The contract JLPWAVAXUSDCOracle is used to calculate the price of JLP. This is done via the following steps: Get USDC price from an external oracle. Get Avax (Avalanche) price via an external oracle. Get the reserves of each token within the contract. Price is the following formula: JLP = (AvaxReserve * AvaxPrice + USDCReserve * USDCPrice) / totalSupplyJLP This isn't some weird injection issue or anything... it's a math issue where there is a case that is forgotten: an attacker can obtain an insane amount of money quickly via a flash loan. The variables AvaxReserve and USDCReserve are somewhat controllable, since we can swap in and out of the contract. These variables are also part of the price of the JLP token, as mentioned above. If an attacker swaps a ^*&@ ton of one token for another, then the price of the JLP can be drastically skewed in either a high or low direction. To drop it low, we exchange in a large amount of USDC, since it is cheaper. At this point, the exchange rate is much cheaper for the NXUSD (which can be traded from JLP) to borrow WAYYYY more than we should be able to. The author of the post puts the steps above: Use a flash loan to obtain a large amount of USDC and another currency to acquire JLP. Acquire JLP tokens at the normal price. Lower the exchange rate of the JLP token by swapping in a ton of USDC for wrapped AVAX. Using the JLP from before, use this to borrow the NXUSD. Remember, the exchange rate has been dropped, so we get more tokens than anticipated. Swap back the WAVAX for USDC to bring the exchange rate back. Pay back the flash loan after getting a huge profit from the NXUSDC. An interesting note that the author makes... we are simply leaving the JLP in the contract since we profit from the NXUSDC. Unlike the bank coming after you in the real world, the only thing that makes you return the loan is the collateral deposited. Since we made more money than the JLP is worth, we simply leave it in the contract. The author includes a very detailed proof of concept that is explained well with a Hardhat setup. So, how does one fix this problem with the JLP token? Having a Time Weighted Average Price (TWAP) or forcing these steps into multiple blocks would solve the problem. An absolutely amazing post and I look forward to more of these in the future!
Analysis Summary
# Incident Report: Nereus Finance Price Manipulation via Flash Loan
## Executive Summary
An attacker exploited a mathematical vulnerability in how the Nereus Finance price oracle calculated the value of the JLP token, which was used as collateral. By using a massive flash loan, the attacker manipulated the reserves in the USDC-WAVAX liquidity pool, artificially deflating the JLP token price. This devaluation allowed the attacker to borrow an excessive amount of the NXUSD stablecoin, resulting in a \$371,559 USDC profit after repaying the flash loan and defaulting on the collateral.
## Incident Details
- Discovery Date: November 19, 2022 (Date of analysis/disclosure of the exploit technique)
- Incident Date: Not explicitly stated, assumed to have occurred shortly before the analysis date.
- Affected Organization: Nereus Finance (lending/borrowing protocol)
- Sector: Decentralized Finance (DeFi) / Lending Protocol
- Geography: On-chain decentralized execution (No specific geography)
## Timeline of Events
### Initial Access
- Date/Time: Attack executed within the scope of a single transaction block.
- Vector: Flash Loan.
- Details: The attacker obtained a massive loan of USDC and another required currency via a flash loan, which requires no upfront capital.
### Lateral Movement
*Not Applicable (Smart Contract Exploit)*
### Data Exfiltration/Impact
- Date/Time: Coordinated within the attack transaction.
- Vector: Exploitation of the JLP price calculation formula: `JLP = (AvaxReserve * AvaxPrice + USDCReserve * USDCPrice) / totalSupplyJLP`.
- Details:
1. Attacker borrowed JLP tokens at the normal price by using collateral obtained from the flash loan.
2. Attacker drastically lowered the JLP token exchange rate by swapping a large amount of USDC into the USDC-WAVAX pool, skewing the reserve ratio heavily towards USDC.
3. Using the previously acquired JLP, the attacker borrowed an inflated amount of NXUSD (due to the low calculated JLP value).
4. The attacker swapped the borrowed NXUSD for USDC, netting a significant profit.
5. They swapped WAVAX back for USDC, restoring the pool ratio to its original state (or close to it).
6. The attacker repaid the initial flash loan.
7. **Impact:** The attacker retained the excessive NXUSD proceeds, defaulting on the loan because the collateral (the JLP tokens) left in the contract was worth less than the borrowed amount, and in a decentralized market, default relies on liquidation, which was insufficient or bypassed.
### Detection & Response
- Detection: The mechanism was discovered and analyzed by an independent researcher on or before November 19, 2022.
- Response Actions: The article provided a necessary **fix recommendation** (implementing TWAP or multi-block execution) but did not detail Nereus Finance's immediate on-chain response actions (containment/remediation).
## Attack Methodology
- Initial Access: Flash Loan (No upfront cost)
- Persistence: Not applicable (single atomic transaction)
- Privilege Escalation: Not applicable
- Defense Evasion: Not applicable (Exploited a logic/math bug)
- Credential Access: Not applicable
- Discovery: Not applicable (Researcher exploited a known vulnerability pattern leveraged against a specific protocol feature)
- Lateral Movement: Not applicable
- Collection: Acquisition of NXUSD tokens far exceeding the collateral's actual value.
- Exfiltration: Conversion of borrowed NXUSD into USDC profit.
- Impact: Financial exploitation via collateral value manipulation.
## Impact Assessment
- Financial: Estimated profit of **~371,559 USDC** retained by the attacker. The collateral provided (~520,000 USDC worth of JLP tokens) was forfeited/left in the contract.
- Data Breach: None (Financial exploit).
- Operational: Disruption to the Nereus Finance lending market and loss of assets.
- Reputational: Negative impact stemming from the protocol failure.
## Indicators of Compromise
- Behavioral indicators: Extremely large single-transaction operations involving flash loans initiating significant swaps within a specific liquidity pool (USDC-WAVAX) immediately followed by borrowing against related LP tokens (JLP).
- Contract interaction: Calls to the `executeOperation()` function after resource acquisition via flash loan providers.
## Response Actions
*As described in the analysis, no direct on-chain response actions were detailed for Nereus Finance itself, only the technical finding.*
- Containment Measures: Not specified.
- Eradication Steps: Not specified.
- Recovery Actions: Not specified.
## Lessons Learned
- **Oracle dependency risk:** Relying solely on instantaneous on-chain reserve arithmetic without time-weighting or multi-block confirmation creates a significant vulnerability to flash loan manipulation.
- **Collateral valuation vulnerability:** The price calculation function (`JLPWAVAXUSDCOracle`) was insufficiently robust, failing to account for malicious, rapid manipulation of underlying token reserves.
- **Flash Loan Utility:** Flash loans remain a potent tool for exploiting atomic DeFi vulnerabilities that depend on precise, immediate price states.
## Recommendations
- Implement a **Time Weighted Average Price (TWAP)** mechanism for critical collateral/asset valuations (like the JLP token) to mitigate instantaneous price manipulation via large single transactions.
- Force key pricing or collateralization steps, especially those involving high volatility, to span **multiple blockchain blocks** to prevent atomic exploitation loops.
- Rigorously audit reserve calculation formulas to ensure all edge cases (like maximizing one side of a pool) are handled correctly, especially when user interaction controls reserve ratios.