Slow Fog Technology: Brief Analysis of the Cover Protocol Hack

On December 29, 2020, according to Slow Mist's intelligence, the price of the Cover protocol plummeted. Below is a brief analysis of the entire attack process by the Slow Mist security team.

1. In the Cover protocol's Blacksmith contract, users can stake BPT tokens through the deposit function;
2. After the attacker performs the deposit - withdraw for the first time, they will update the pool through the updatePool function and use accRewardsPerToken to record the accumulated rewards;
3. Subsequently, rewards will be distributed through the _claimCoverRewards function, and the rewardWriteoff parameter will be used for recording;
4. After the attacker's first withdraw, a small portion of BPT will still be staked;
5. At this point, the attacker will perform a second deposit and extract rewards through claimRewards;
6. The issue lies in the specific calculation of rewardWriteoff. When the attacker performs the deposit - claimRewards for the second time, the Pool value taken is defined as memory. At this time, the Pool obtained in memory is the value updated when the attacker performed updatePool during the first withdraw;
7. Since the Pool value obtained in memory is old, the corresponding recorded accRewardsPerToken is also old and will be assigned to the miner;
8. When a new updatePool is performed later, since the lpTotal in the pool has already decreased after the attacker’s first withdraw, the final accRewardsPerToken obtained will increase;
9. At this point, the accRewardsPerToken assigned to the attacker is old and a smaller value. The value obtained during the rewardWriteoff calculation will also be smaller, but the value used by the attacker during claimRewards is the updated accRewardsPerToken value;
10. Therefore, during the specific reward calculation, due to the difference between these new and old parameters, a larger value will be calculated;
11. Thus, when minting rewards based on the calculation results, more COVER tokens will be minted for the attacker, leading to an increase in the supply of COVER tokens.

The specific changes in the accRewardsPerToken parameter difference are shown in the figure below: