How OpenZeppelin Foiled a Catastrophic Hack in a Compound Wargame Simulation

with the SEAL Chaos Team

Earlier this year, a group of security experts from OpenZeppelin, Chainlink, Gauntlet, and the Compound community met virtually via a dedicated communication channel to collaboratively stress-test their ability to respond to a real-life security breach. Leveraging a hard-forked version of Ethereum, the simulated attack involved the deployment of various bots to replicate user activity within Compound Finance, a leading DeFi protocol holding over $2 billion in collateral. During the simulation, an unknown vulnerability was introduced, challenging OpenZeppelin's security experts to identify the issue and respond accordingly. 

The attack simulation was organized by the SEAL Chaos Team consisting of samczsun, Head of Security at Paradigm, Isaac Patka, Co-Founder of Shield3, and numerous other security experts. This team takes projects through incident response exercises to assess a project's threat model, before running a security incident simulation. In early July, The SEAL Chaos team used the Compound Protocol as the testing grounds for their new initiative. As the protocol is decentralized, the exercise was designed to assess the response from a variety of protocol contributors of which OpenZeppelin is foremost as the Compound DAO’s dedicated security partner.

The simulation infrastructure consisted of replicating monitoring built by OpenZeppelin using Forta bots which was then setup on a custom network by the Chaos team along with a custom block explorer dedicated to the forked network. To accurately simulate market and attacker activity, the team also deployed custom bots and scripts. This comprehensive setup allowed for a realistic and thorough evaluation of the system's security measures and response capabilities. OpenZeppelin has since released support for custom forked networks in Defender, its own security operations platform used by Compound, Matter Labs and other web3 teams.

In the course of the simulated attack, a rogue simulated oracle was made to report incorrect WETH prices 28% higher than market value, leading to conditions that would have allowed malicious actors to withdraw an excess of USDC stablecoins by using inflated WETH values as collateral. This market irregularity triggered alerts via the tailor-made Defender monitoring suite built for Compound by OpenZeppelin. Such detection was made possible by the integrated Forta bots that showed that the simulated oracle was reporting a much higher price for WETH than the anchor price.

The team identified that if the reported oracle price is above the 15% acceptance threshold from the Uniswap anchor price and Comet was accepting these prices, then the protocol was at risk of a market manipulation attack. Additional market monitor alerts showed the exploit pattern where the simulated attacker would take advantage of this inflated price by depositing WETH as collateral and then withdrawing USDC at a higher value. Upon seeing these alerts, the team confirmed that the Comet contract was currently being exploited by a price manipulation attack that took advantage of the simulated oracle reporting an inflated price for WETH. The attacker was supplying a dollar value of collateral, but borrowing greater than that value in USDC, slowly draining the Comet pool, leading to a total loss of  around $650-700k.

The team immediately began to put together an incident document to track the roles, statuses, communication channels, and timeline. Team members were assigned specific roles, with OpenZeppelin filling the Operations Lead and a Compound Labs team member as the Incident Commander. 

After the exploit had been confirmed, the team discussed pausing the WETH market to mitigate the exploitation and prevent further loss of funds. The signers on the Pause Guardian multisig began to prepare a transaction that would pause the WETH market completely. The figure below shows the signed message used to represent a pause transaction for every signer.
Since all functionality would be paused, the team also began to identify any impact to liquidations that would result from pausing all actions.

The top priority at this point was to pause all actions on WETH and the team collected signatures to execute the pause transaction while continuing to assess the overall impact. Once the transaction was executed, the team confirmed that the pause was effective and that malicious transactions were now failing. Finally, with the immediate impact mitigated, the team shifted the discussions to a full root cause analysis and post-mortem, while also drafting public communications to go out via Twitter.

For protocols implementing OpenZeppelin’s Pausable contract, such functionality can be executed natively within the Defender platform, queuing up a pause transaction immediately for multi-sig members to sign or even executed via relayer without depending on human intervention.

Live simulations play a vital role in enhancing Web3 security. These simulations enable trusted parties in the field to cultivate relationships and strengthen security measures. With its extensive experience in smart contract security and its role in the attack simulation with the Compound DAO, OpenZeppelin is at the forefront of the industry's security efforts. By participating in the alliance's collaborative initiatives, OpenZeppelin aims to contribute to the development of large-scale public goods that improve the security of blockchain ecosystems.

Similar live simulations are offered to security-focused clients wishing to stress test their incident response capabilities. Contact us to discuss the Incident Response needs of your DAO, Dapp, DeFi protocol, or Metaverse project.