On February 10th (UTC), a well-known blockchain security researcher @Samczsun notified the ForTube team through Tina @tzhen and assisted in fixing a security vulnerability in the smart contract of the ForTube lending platform, eliminating the security risks of the platform. After inspection, no users suffered asset losses due to the vulnerability. Thanks to @Samczsun and @tzhen for their prompt communication and active assistance in this incident.
Event Process:
On February 9th 23:57 (UTC), Sam notified the ForTube team via Tina to internally disclose the logical vulnerability in the ForTube contracts.
The ForTube technical team responded quickly to determine the effectiveness of the vulnerability, and immediately executed a global lockdown at February 10th 00:18 (UTC), closing the contract entry and exit interface to ensure the security of user assets and data consistency.
The ForTube team conducted a comprehensive analysis of the vulnerability, identified the problem and formulated a solution. After modification, verification and comprehensive testing, it was deployed to the production environment at 05:52 (UTC), the global lockdown was lifted at 05:58 (UTC), and normal services were restored.
Vulnerability Fix:
The security vulnerability fixed this time is the permission bypass vulnerability in the contract https://etherscan.io/address/0xfb8174cb37e772e457a1e19504fe8637bb8b0a4a#code. Attackers can forge requests that meet the verification conditions and bypass the verification logic in the seizeCheck method of the contract to perform an attack. In the seizeCheck method, the source verification of msg.sender in the superior call stack can be added to prohibit the request initiated by the contract that falsified the FToken, thereby fixing the vulnerability.
Impacts:
After the ForTube team performed a comprehensive inspection of contract assets and back-end audit data, no users suffered asset losses due to the vulnerability.
Subsequent Work:
The ForTube team will conduct a strict and comprehensive inspection of all contract codes on the platform, and conduct an internal cross-audit again for all public interfaces to prevent the existence of such vulnerabilities. At the same time, in the subsequent development work, the most stringent verification rules will be adopted for the call permissions of the public interface, especially the strict verification of the call source and the incoming parameters to avoid such risks.
Finally, thanks again to Sam and Tina for their contributions in this incident, we will distribute bounties to them according to our bug bounty program https://for.tube/bounty. ForTube sincerely hopes that blockchain security researchers and the white hat community can work closely with the DeFi industry towards a safer and more healthy ecosystem.
Be sure to follow us on social media for more updates and mining campaigns:
▲Announcement channel: https://t.me/the_force_announcement
▲Medium: https://fortube.medium.com/
▲ForTube website: https://www.for.tube/home
▲Twitter: https://twitter.com/ForTubeFi
▲Github: https://github.com/thefortube
▲Knowledge Library of ForTube platform: https://docs.for.tube/
