The exploiter used a “panic” function buried within eight different smart contracts to remove $1 million worth of users’ funds without their permission.
On June 26, decentralized finance (DeFi) aggregator Chibi Finance was exploited by its own deployer account, and $1 million worth of cryptocurrency was drained from its contracts in an apparent rug pull or exit scam.
The protocol’s official user interface disappeared, producing a 404 error, and all social media for the app was taken down. After the funds were drained, they were swapped for Wrapped Ether (WETH) and bridged to Ethereum, where they were afterward sent to Tornado Cash by the attacker.
The price of the Chibi Finance (CHIBI) governance token fell by over 90% as the news broke.
But “rug pulls” shouldn’t be possible in DeFi. After all, these apps, by definition, don’t run on centralized infrastructure. So the app’s creator shouldn’t be able to run off with everyone’s crypto or cash.
For this reason, it might be useful to analyze how the alleged scam was pulled off.
CertiK has produced a detailed report after investigating the incident. When combined with blockchain data, this report can shed light on how the attack occurred and what users can do to protect themselves against similar attacks or scams in the future
The Chibi Finance app
Before its user interface went offline, Chibi described itself as “the most popular yield aggregator on Arbitrum.” It claimed to allow users to gain yield from across the Arbitrum ecosystem.
According to CertiK, the DeFi aggregator has been growing in total value locked (TVL) — a measurement of the value of crypto held in an app’s contracts — since it launched in April. On June 21, Chibi announced it had achieved $500,000 in TVL. At the time, the team stated a goal to reach $1 million.
On June 26, the app was listed on CoinGecko for the first time, giving it greater exposure. It seems to have reached its $1 million goal shortly after this event, right before the tokens were drained from its contracts. As a result, investors lost over $1 million worth of crypto in the attack or scam.
Chibi Finance contracts
The attack exploited a loophole in eight different contracts used in the Chibi Finance protocol. These contracts were forked from other projects and were not unique to Chibi. For example, one of them was StrategyAave.sol at Arbitrum address 0x45E8a9BA6Fcd612a30ae186F3Cc93d78Be3E7d8d, which has also been deployed to several other addresses on Abitrum, Ethereum, the BNB Smart Chain and other networks.
Another example is the StrategySushiSwap.sol contract at 0x9458Ea03af408cED1d919C8866a97FB35D06Aae0. This also has several versions on Arbitrum and other networks.
These contracts appear to be commonly used in DeFi aggregator applications, not just Chibi Finance.
Blockchain data reveals that some of the contracts used by Chibi Finance contain a “panic” function that can be used to withdraw all tokens from a pool and send them to a particular address. This function was essential to the attacker’s method. Here is an explanation of how it works, with StrategySushiSwap.sol being used as an example:
Lines 340–343 of StrategySushiSwap.sol state that if the panic() function is called, it will call a second function named “emergencyWithdraw” on the ISushiStake contract.
How can Chibi-style rug pulls be avoided?
Given that the attack relied on a “panic” function that allowed an admin to drain all of the users’ funds, one way to avoid a Chibi-style rug pull would be not to use apps that have this function.
On the other hand, if an aggregator doesn’t have a “panic” function, there is a risk that the user’s funds could get stuck if a bug or exploit is discovered within the aggregator app. Users may want to consider these tradeoffs if they decide to use aggregator apps instead of directly interacting with the underlying pools.
DeFi users may also want to consider that smart contract code can be extremely complex, and it may not be possible for most users to determine on their own whether an app has a security flaw. As CertiK claimed in its report:
“The Chibi Finance incident demonstrates the risks that are associated with centralization in the Web3 space.[…]It is an unrealistic expectation for regular investors to spot and understand the centralization risks within projects like Chibi Finance by simply doing their own research.”
For this reason, users may want to check an app’s published audits before using it, CertiK stated.
Chibi Finance claimed to be audited by blockchain security firm SolidProof. The contents of the alleged audit are no longer available, as the project’s GitHub has been taken down and was never saved by internet archives. Cointelegraph could not determine whether the risks posed by the “panic” function were disclosed in the audit report or even whether an audit took place.
Cointelegraph has reached out to SolidProof for comment but did not receive a reply by publication.
Rug pulls or exit scams have become a common problem in the DeFi space. On June 1, blockchain security firm Beosin reported that over $45 million was lost from rug pulls in May, outpacing regular DeFi exploits. In April, the Ordinals Finance protocol was also allegedly rugged for $1 million through a “safuToken” transfer function.