Impermax V3 is a lending and borrowing protocol that lets users borrow assets against their LP Positions from platforms like Uniswap.
On 26th April, at 10:43 UTC, the attack occurred on the base chain, siphoning ~300k in liquidity from the pool, leaving the protocol in bad debt as reported by the team in their Medium post. The attacker used a Flash Loan to perform the attack. The analysis covers the hack details, how it happened, the attack flow, and the funds lost.
Hack Analysis and Its Impact
The attacker (0xE3223f7E3343c2C8079f261D59ee1e513086C7C3) initially took a flashloan from Morpho to fund the attack.
The attacker initially provided the liquidity into a Uniswap V3 Liquidity pool (WETH/ USDC), which has a 1% fee tier. The attacker increased the price range of this pool and did multiple swaps to accrue fees on their LP position in the particular price range.
Once the position earned a lot of fees from the swap, the attacker used the same LP position to borrow WETH from Impermax. Once they borrowed the funds from the protocol, they reinvested the fees into the new LP position, which is where the protocol minted liquidity in the wrong price range, leading to a sharp decline in the position value and putting the protocol into bad debt.
As can be seen in the transaction, the attacker first borrowed the funds, then reinvested the fees from the LP position, and self-liquidated themselves by calling restructureBadDebt. Since the position got liquidated, there is no downside for the attacker as they successfully siphoned the funds out of the protocol.
The following is a depiction of the attack flow to understand it better:
Flow of Funds Post Attack
The contract address created by the exploiter is 0x98E938899902217465f17CF0B76d12B3DCa8CE1b, which transferred the funds to another address of the exploiter, 0xE9f853d2616ac6b04E5fC2B4Be6EB654b9F224Cd, which then transferred the funds to multiple different wallets and went dark.
Relevant Transactions
0xde903046b5cdf27a5391b771f41e645e9cc670b649f7b87b1524fc4076f45983
0xad4fc3156666d5402f00dcfd5c183493d283f4166a6dd581dd8c0a895e826a56
How could the attack have been prevented?
The root cause of the attack was a flaw in the protocol logic, which led to the protocol getting bad debt. Certain safety mechanisms were in place, like fair pricing to avoid the flashloan attack, but the fee parameter was not adjusted properly. Adjusting the fee parameter according to the position would have prevented the attack.
The protocol also reinvested the fees into the wrong price range, leading to self-liquidation. Having a certain mechanism to direct liquidity into the correct price ranges would have worked in favour of the protocol.
It is more important than ever to keep security in mind while deploying a complex DeFi protocol which have multiple upstream and downstream dependencies.
Conclusion
The reason for the attack was due to the protocol logic. The protocol had certain mechanisms in place to avoid flashloan attacks, but had an edge case where an attacker could manipulate the fee parameter.
These type of vulnerabilities are hard to catch, and attackers are scouting on-chain contracts to find them. It is important to get robust auditing done before the deployment of smart contracts to the mainnet.
Hacks are common in the crypto space, and they require immediate attention. One way to provide the required attention is to go through a robust audit process. A great audit process is a mixture of great auditors, a layered approach for testing, and clear communication. At QuillAudits, we make sure that happens using our 7+ years of experience and talented team.
