Blockchain security watch firm Certik Alert has revealed a cynical attack on Midas Capital. The firm added that the exploiter (0x1863…) gained 663,101 MATIC, worth $660,000 at the time of writing. 

Midas Capital paused borrowing activities

On Jan.15, Midas Capital, a venture capital organization that funds and supports blockchain projects to their success, announced the pause of borrowing activities on the Jarvis Polygon pool.

Users were informed that the pause was due to an investigation of a suspicious transaction that involved a recently added collateral token (WMATIC_STMATIC).

We've currently paused borrowing on the Jarvis Polygon pool https://t.co/jyjevMVMyF while we investigate a suspicious transaction involving a recently added collateral token

— Midas Capital (@MidasCapitalxyz) January 15, 2023

WMATIC_STMATIC token was listed last week on the official Midas capital website with a supply cap of 250,000. The company discussed adding the token with its team (Jarvis network) to add new options for pool utilizers. Implementation of the supply caps was to the prevention of grand borrows against such Liquidity pool tokens and was yet enough.

Source: Midas Capital

Midas stated they had made a wrong judgment as they assumed that a pool comprised solely ERC20’s wrapped assets. It also believed that the previous re-entry attack wouldn’t affect them while using ‘raw call’ the chain’s native token.

Midas experienced the same event before launching BNB with Ellipsis when the company highly backed LP tokens as collaterals. The confidence of their oracle emanated from the Ellipsis, which had strictly ejected the ability to conduct ‘raw call’s’.

Jarvis Network had multiple bugs

Ancilia, a web three partner, stated that Jarvis Network had multiple bugs. Re-entry and jFIAT token price fixing are what lead to the loan benefit. The attacker utilized the chance for re-entry during the native token WMATIC in borrowing vast bulk. The whitecap hacker later spent 270k WMATIC as collateral and minted 131JFIAT tokens.  

2/ @Jarvis_Network There are multiple bugs. The loan gain are caused by re-entry and price manipulations for jFIAT tokens. Attached screen shot proved the price change(10x) after. During the native token WMATIC send, attacker use the re-entry opportunity to borrow more. pic.twitter.com/OSvsTmiFOU

— Ancilia, Inc. (@AnciliaInc) January 15, 2023

The attacker then generated another contract, utilized one of the ten borrowed amounts to liquidate the debt, and redeemed 103 jFIAT immediately after the price was forced and changed. There was a suspicious questionnaire with Midas price oracle. Nonetheless, the polygon implementing contract was the case of the problem.

After investigating the price oracle, Ancilia recognized a price calculation to get a virtual price function that depends on self D in storage slot 0x10. The self D value is usually 0x041a1ba29495fff4fab5bc; however, it is ten times larger when the attack happened.