TLDR: DelayedBDIBurner was exploited for $343K
Exploit Timeline
On October 22 0830 UTC+0, we received a message from 0xMaki informing us of a potential exploit in one of our contracts
Upon further investigation, the Basket tokens (BDI, BMI) itself was fine, however there was something unusual going on.
Within 21 minutes, we figured out what was going on: The periphery contract, specifically the DelayedBDIBurner had an infinite approval vulnerability.
The attacker could craft a malicious payload, allowing him infinite “transferFrom” access of BDI tokens from the delayed burner. This means that any BDI tokens sitting in the DelayedBurner was susceptible to being drained. Once the root cause was identified, we quickly establish a game plan.
Due to the timelock, we couldn’t immediately apply the patch, and had to let it go through a timelock. We also had other things to fix, such as the quickly and quietly disabling the frontend. A fix and patch was deployed to revert the transaction made and queued on 0938 UTC+0. The fix would only work if the attacker held BDI tokens in his wallet.
The next 24 hours was a very nervous waiting game, luckily, the attacker didn’t sell his BDI tokens and we were able to retrieve the funds
A mini premature celebration was held internally with the team the funds was returned to the victim, and all was well — or so we thought.
The next day, we woke up to a very alarming message from the victim.
Turns out our initial assumption of the attacker only being to transfer tokens from the contract was wrong, the attacker could transfer BDI tokens from anyone who approved BDI to the DelayedBDIBurner. And we naively, and stupidly refunded the victim BDI back to his original wallet. We should have known better and we’re very sorry about this.
The hacker outsmarted us and re-captured the funds.
And unfortunately this time he sold the BDI tokens and have escaped through Tornado.
A Partial Compensation
As the amount lost by the victim was quite substantial, we have decided to partially compensate the victim as best as we can — by giving up ALL the fees earned by BMI in the treasury (~$118k USD)
We hope that by doing so the victim has sufficient material to move on, this was never on our roadmap when we started out the project.
To the other victim of the ~23 BDI, please message us on Discord and we’ll return the tokens back to you.
What’s Next
Delayed Mint/Burn modules for BDI have been disabled to prevent further complications.
As a result, fees for BDI mint/burn will be removed in the next 24hrs from the posting of this article, allowing anyone to mint burn directly on the primary contract, which is audited and has stood the test of time.
