What Went Wrong With Odos Protocol?

Odos Protocol experienced a malicious exploit targeting its Limit Order Contracts on the Ethereum Layer 2 network, @base.

A series of coordinated attacks resulted in a cumulative loss of approximately $50,000.

The attacker exploited an arbitrary call vulnerability caused by insufficient input validation in the contract’s logic, enabling them to bypass signature verification mechanisms and execute malicious transactions.

Odos leverages an intent optimization algorithm to provide superior exchange rates for both single-token and multi-token swaps.

The protocol is accessible via a dApp and an API, offering users an efficient way to execute complex swaps while minimizing slippage and maximizing returns.

Its Limit Order Contracts allow users to specify conditions for token swaps, automating execution when these conditions are met.

1. Setup of the Malicious Contract:
   • The attacker (0x4015d786e33c1842c3e4d27792098e4a3612fc0e) deployed a malicious contract (address: 0x22A7dA241A39F189a8Aec269A6F11A238B6086fc) to manipulate the Limit Order Contracts.
2. Exploit Execution:
   • The attacker exploited the victim contract (0xB6333E994Fd02a9255E794C177EfBDEB1FE779C7) by sending a transaction through Base.
   • Attack transaction: https://app.blocksec.com/explorer/tx/base/0xd10faa5b33ddb501b1dc6430896c966048271f2510ff9ed681dd6d510c5df9f6

   • The isValidSigImpl function allowed arbitrary calls to a Create2Factory contract using unvalidated user input (factoryCalldata).

     This allowed the attacker to execute malicious deployments.

     

   • The isValidSignature function allowed attackers to direct calls to a malicious contract implementing ERC-1271, which always returned a valid signature (ERC1271_SUCCESS).
   • The attacker utilized the precompile contract (0x4) to bypass signature verification, ensuring their malicious actions were executed without being flagged.

3. Outcome:

• The attacker successfully drained funds from the protocol's Limit Order Contracts, resulting in a loss of ~$50,000.

The exploit stemmed from insufficient validation of user inputs and improper handling of key contract functionalities:

1. Counterfactual Address Deployment:
   • The create2Factory.call(factoryCalldata) mechanism allowed arbitrary calls without validating the factoryCalldata.

2. ERC-1271 Signature Validation Bypass:

   • The _signer address in the isValidSignature function was user-controlled, enabling the attacker to utilize a malicious contract that returned valid signatures unconditionally.

   

3. Precompile Contract Exploitation:
   1. The attacker leveraged the precompile contract (0x4) to further manipulate signature verification, bypassing security checks.

The exploit could have been mitigated with the following precautions:

1. Validate User Inputs:
   • Sanitize and strictly validate factoryCalldata and create2Factory parameters in the isValidSigImpl function to prevent arbitrary calls and malicious contract deployments.
2. Enhance Signature Verification:
   • Introduce robust validation mechanisms for the _signer address before calling isValidSignature. This could include:
     • Verifying the contract’s bytecode to ensure it matches trusted implementations.
     • Maintaining an allowlist of approved contract signers.
3. Avoid Unchecked External Calls:
   • Implement reentrancy guards and limit interactions with external contracts to prevent misuse.
4. Test Against Precompile Exploits:
   • Incorporate fuzz testing and simulations to identify vulnerabilities involving precompiled contracts, such as 0x4.

Why QuillAudits?

Choosing a reputable audit firm like QuillAudits ensures that your protocol undergoes rigorous scrutiny from experienced security professionals.

We specialize in securing smart contracts by identifying critical vulnerabilities and offering actionable remediation strategies.

Our expertise helps safeguard your project from attacks, ensuring that security issues are addressed proactively.