On 27th October 2022, Team Finance lost$14.5 million due to a smart contract exploit in its migration function. The “v2 to v3 migration function” – the one that caused the exploit – was added a few months after the audit completion by Hacken.
After they added the “migrate” functionality, Team Finance chose Zokyo as their auditor. Zokyo flagged two vulnerabilities in the said function as critical, but the contract was nevertheless exploited. What went wrong? Let’s review the case to see how the attack unfolded.
Hacken Audit for Team Finance Contracts
When Hacken audited smart contracts for Team Finance, the scope did not contain the “v2 to v3 migration function,” which was exploited in October 2022.
In February 2022, Hacken auditors reviewed and analyzed the smart contract for Team Finance contracts of Trust Swap.
In our audits, we found 2 medium and 2 low-level issues in the following functions: createMultipleLocks and lockTokens, both in the LockToken.sol contract. These functions have never been exploited. On top of that, the notorious “v2 to v3 migration function” was not featured in the contracts that Hacken audited back in February 2022.
Zokyo Smart Contract Audit for Team Finance
On 8th August 2022, Zokyo delivered a smart contract audit report for TrustSwap.
The first audit revision: https://github.com/trustswap/team-finance-contracts/tree/master-merge-nft-liq-v2v3-migrate The second audit revision: https://github.com/trustswap/team-finance-contracts/tree/master-merge-nft-migrate-nftsvg
The contracts audited by Zokyo: 1. LockNFT.sol 2. NFTDescriptor.sol 3. NFTSG.sol 4. LockToken.sol
Zokyo was really close to finding the ‘culprit’
In their audit report on Page 8, Zokyo showed a detailed breakdown of “migrate” function.
They described “v2 to v3 migration” functionality, “Migrates liquidity to v3 by burning v2 liquidity and minting a new position for v3. Initializes the pool if it has not been initialized yet. Refunds Ether or tokens. Updates token details.”
Zokyo auditors found two critical vulnerabilities in Team Finance contracts, including issues in migrate() function: use of arbitrary token addresses and reentrancy in main functions.
Use of arbitrary token addresses
Reentrancy in main functions
Zokyo did audit the “v2 to v3 migration” function and flagged it as critical. In both cases, Zokyo recommended using the nonReentrant() modifier. Team Finance responded to these critical issues post audit, “TrustSwap team verified that this is an intended logic and users should be able to use arbitrary token addresses.” On paper, Zokyo found the critical issue. TeamFinance verified it. The exploit nevertheless happened. So what went wrong?
Analysis from Hacken
Hacken’s Head of the Smart Contracts Audits Department offered the following explanation for the hack and found the issue:
The exploit happened due to the vulnerability in the ‘migrate’ function.
Why did it happen?
The code lacked input parameters validation, parameters that go directly into the v3migrator.
What could’ve been done (and was actually done as a fix)?
First, ensure ‘pair’ and ‘tokenAmount’ input parameters match the ones from the ‘lockedERC20’ structure stored on the contract.
Second, ensure the validity of some other parameters.
Did Zokyo find the right issue?
At first glance, it appears Zokyo spotted the issue. They did flag it as critical. But if we dive deeper, we see that Zokyo was very close to finding the issue, but couldn’t get to the bottom of it. It should have been formulated differently.
What is the issue mentioned in the Zokyo report?
The issue in the Zokyo report is about the missing whitelist for tokens. However, even if the whitelist was added, the real vulnerability would still be in the code. Whitelist does not solve the problem! You can still deposit whitelisted tokens and exploit the system.
Luckily, funds were returned to TeamFinance. But the whole crypto ecosystem has something to learn about in this case.
Adding/updating functionality to the code changes it. The audit is no longer relevant after the code changes. To stay relevant and detect new vulnerabilities, projects must audit the contract after introducing any changes. Team Finance did audit the code after introducing new changes. Unfortunately, Zokyo couldn’t fully detect a real critical weakness.
Audit is relevant only when audited code fully matches deployed code
Is the audit still relevant? ✅ Option 1 – no changes made. Answer: Yes, the audit is still relevant because the deployed version fully matches the code. ❌ Option 2 – changes were released. Answer: No, the audit is irrelevant, as we cannot guarantee its safety or what weaknesses it has now.
This certainly is a hard lesson for those involved, but Web3 players must understand that hackers aren’t going anywhere. Bad actors will always look for weaknesses they can exploit to steal funds. In response, Web3 projects must pay more attention to security. Audit relevancy is vital for smart contract security. It’s necessary to perform external code reviews after all significant changes to the code. For everyone interested in audit relevancy and checking whether the audited code matches the deployed code, we recommend monitoring CER.live – the biggest independent database of crypto audits.
Get to the root cause of vulnerabilities
For auditors, the lesson is to be a bit more persistent, especially when it comes to critical issues. Finding and conveying all possible vulnerabilities is really difficult, but that’s what makes you an exceptionally good auditor. At the end of the day, the auditor vouches for the final score with their reputation.
share via social
Subscribe to our research
Enter your email address to subscribe to Hacken Reseach and receive
notifications of new posts by email
The internet revolution has presented the world with Web3, the third iteration of a constantly evolving ecosystem. Also known as decentralized web, Web3 ecosystems are designed to replace centralized infrastructure and allow every user to maintain complete control over the data, irrespective of whether they are interacting with an application or another user. The Web3
Modern businesses are focused on choosing the new competitive strategies to dominate the market in the coming decade. Turning to Web3 may constitute their jump to new heights. But why have we assumed that Web 3.0 is an inevitable future? What big benefits does it provide to businesses and common people? And what about security,
The DeFi revolution has amplified smart contract capabilities. At the same time, the extensive smart contract capabilities have exposed deeper software vulnerabilities underpinning decentralized financial services. This article will consider the latest trends in Web 3.0 smart contact security, identify common smart contract vulnerability patterns, and provide recommendations on protecting your financial assets. 2022 Smart