Full Report
Superfluid.sol allows for composable Superfluid agreements in a single transaction. I have no idea what this means (lolz). The important thing to note is that the main contract and the agreements have a concept of context (ctx). The ctx is a serialized state for through the entire transaction for different agreement calls. This context includes information about the original msg.sender even. The convention of callAgreement is to use a placeholder ctx so that Solidity can read it directly from the argument ctx that should be there. The flow of operations is like so for verifying: Call deleteAnyFlowBad. Call callAgreement. This creates the ctx and puts a stamp on it. Call createFlow to verify that the calling host contract is authorized to do so. Call authorizeTokenAccess to hand over the ctx and deserialize the original call. The vulnerability occurs in the parsing of the ctx structure within the function deleteAnyFlowBad. After everything is merged into a single byte array. The expected empty ctx can contain spoofed data, causing a MAJOR problem to occur. Since the abi decoder ignores the legit ctx, we have now tricked the code into parsing the wrong ctx. With the ability to craft an arbitrary ctx, the calldata can be crafted to impersonate other users. This can be used to create IDA indexes on behalf of other users to steal tokens in their possession. The contracts had been previous audits by several users and Peckshield. They have decided to add a bug bounty program and get more audits in the future. Overall, a super interesting bug in extremely complicated code.
Analysis Summary
# Incident Report: Superfluid Context Spoofing Exploit
## Executive Summary
On February 8, 2022, the Superfluid protocol was targeted by a sophisticated smart contract exploit on the Polygon network. By injecting malicious calldata to spoof the "context" (ctx) of a transaction, an attacker was able to impersonate other users and drain approximately $13M USD worth of assorted tokens. The incident was mitigated through two protocol upgrades that temporarily disabled affected functions before deploying a permanent logic patch.
## Incident Details
- **Discovery Date:** February 8, 2022, 06:48 UTC
- **Incident Date:** February 8, 2022
- **Affected Organization:** Superfluid
- **Sector:** Decentralized Finance (DeFi)
- **Geography:** Global / Distributed (Polygon Blockchain)
## Timeline of Events
### Initial Access
- **Date/Time:** Early hours of February 8, 2022 (UTC)
- **Vector:** Exploitation of `callAgreement` via the `deleteAnyFlowBad` function.
- **Details:** The attacker utilized a vulnerability in how the Superfluid Host contract parses the `ctx` (context) argument. By providing a specifically crafted byte array, the attacker tricked the ABI decoder into ignoring the legitimate context and instead parsing spoofed data.
### Lateral Movement
- **N/A:** As this was a smart contract exploit, the "movement" involved escalating privileges within the protocol's logic to act as any high-value address holding Super-tokens.
### Data Exfiltration/Impact
- **Details:** The attacker created unauthorized distribution indexes and flow deletions to divert funds. Total stolen assets included:
- 19.3M QI, 1.5M MOCA, 562k USDC, 44k SDT, etc.
- Assets were swapped and consolidated into a single attacker wallet holding over 2,700 ETH.
### Detection & Response
- **06:48 UTC:** QiDAO team notifies Superfluid of suspicious activity on vesting contracts.
- **08:35 UTC:** Public warning issued to the community.
- **10:54 UTC:** **Emergency Containment:** Host contract upgraded to revert all `callAgreement` calls, halting protocol functionality to prevent further theft.
- **12:23 UTC:** **Remediation:** Vulnerability patch deployed to Polygon and xDai; full protocol functionality restored.
## Attack Methodology
- **Initial Access:** Smart contract vulnerability (Input Validation/Logic Error).
- **Persistence:** Not applicable; transaction-based exploit.
- **Privilege Escalation:** Spoofing `msg.sender` identity by manipulating the serialized `ctx` state.
- **Defense Evasion:** Exploiting ABI decoding nuances that caused the contract to skip legitimate data in favor of malicious injected data.
- **Impact:** Unauthorized fund transfers and creation of IDA (Instant Distribution Agreement) indexes on behalf of victims.
## Impact Assessment
- **Financial:** Approximately $13,000,000 USD (at the time of the exploit).
- **Data Breach:** None (Public blockchain transaction data only).
- **Operational:** Protocol downtime of approximately 5.5 hours for emergency upgrades.
- **Reputational:** Significant; however, the team responded quickly with a compensation plan and a $1M bug bounty offer to the attacker.
## Indicators of Compromise
- **Attacker Address:** `0x1574f7f4c9d3aca2ebce918e5d19d18ae853c090`
- **Transaction Pattern:** Unauthorized calls to `callAgreement` involving `deleteAnyFlowBad` with abnormal `ctx` byte arrays.
- **Message Transaction:** hxxps://polygonscan[.]com/tx/0x5f9fd626df2fcfef5899c10cea2ec329e76dc0d4350b4c8cf28ce776785e1952
## Response Actions
- **Containment:** Executed a protocol upgrade to "pause" the `callAgreement` function.
- **Eradication:** Deployed a patched Host contract that validated the `ctx` structure correctly.
- **Recovery:** Developed a compensation plan for affected users and coordinated with forensic researchers to track funds on-chain.
## Lessons Learned
- **Key Takeaways:** Highly complex code with composable states (like `ctx`) creates a large attack surface that standard audits might miss.
- **What could have been done better:** Earlier implementation of a formal bug bounty program might have incentivized a disclosure over an exploit.
## Recommendations
- **Rigorous Input Validation:** Ensure all serialized data structures are strictly validated against unexpected appended data.
- **Security Audits:** Increase the frequency of audits, specifically focusing on "context-passing" logic.
- **Bug Bounty:** Maintain an active and competitive bug bounty program (implemented post-incident).