Slow Mist: The Rubic protocol mistakenly added USDC to the Router whitelist, resulting in the theft of USDC from authorized contract users

2022-12-25 21:13:22

Collection

According to ChainCatcher news, the SlowMist security team reports that the Rubic cross-chain aggregator project has been attacked, resulting in the theft of USDC from user accounts. The SlowMist security team shared the following in a brief:

Rubic is a DEX cross-chain aggregator that allows users to exchange Native Tokens through the routerCallNative function in the RubicProxy contract. Before the exchange, it checks whether the target Router provided by the user is on the protocol's whitelist.
Only after passing the whitelist check will the target Router provided by the user be called, and the call data is also provided externally by the user.
Unfortunately, USDC was also added to the Router whitelist of the Rubic protocol, allowing any user to call USDC through the RubicProxy contract.
Malicious users exploited this issue by calling the USDC contract through the routerCallNative function to transfer USDC from users who had authorized the RubicProxy contract to the malicious user's account via the transferFrom interface.

The root cause of this attack lies in the Rubic protocol's erroneous addition of USDC to the Router whitelist, leading to the theft of USDC from users who had authorized the RubicProxy contract. (Source link)

Related tags

Rubic hacking attack

ChainCatcher reminds readers to view blockchain rationally, enhance risk awareness, and be cautious of various virtual token issuances and speculations. All content on this site is solely market information or related party opinions, and does not constitute any form of investment advice. If you find sensitive information in the content, please click "Report", and we will handle it promptly.