They story started when my friend Andrei Kei VV firstly noticed that over 30 contracts of Zapper had a critical bug since November 2020. All of them used similar logic of external calls to exchanges like 0x. As a result, anyone who gave an allowance to spend ERC20 tokens to any of those contracts were in danger of losing tokens from their wallet at any time.
The vulnerability in those 35 contracts potentially lets anyone call any method of any contract on behalf of Zapper contracts. Therefore all wallets that had any ERC20 approvals for that contract turn out to be vulnerable. And any exploiter could transfer funds from user wallets to their own directly via specially engineered calls to Zapper contracts.
The problem consisted of possibility to set the address of
swapTarget to any ERC20 token and encode a call to
transferFrom(userWithAllowance, exploiterAddress, amount) method into
swapCallData . As a result, funds will be transferred to
exploiterAddress from the
userWithAllowance wallet, which gave an allowance to the vulnerable contract any time in past.
After development, VV reached Zapper, collaborated with their dev team, deployed contracts, and performed an attack. In the end, he transferred ownership 0x6a3eedcd970b3ba2c2d24942aa81e46ab07479be02e95e709308e82592615fca of the safe storage contract to the Zapper team.
He hadn’t used any private pool, and as a result, part of his transactions had been frontrunned by some bots. Luckily, the bot owners have contacted the Zapper developer team, and most of the funds appear to be restored.
After reading his post-mortem, I DMed him and asked if frontrun bots can protect the project from the withdrawal of money under “certain” conditions? To me it seemed that Zapper might have been using their own bots.
I received an answer that he doubts that the bots belonged to the project, I asked also on the forum: and got a similar answer, but I decided to look at it again from a different angle.
While searching for information about such cases I found this article where the same use of front-run bots is described (coincidence or not there were two of them there too), and some other less known cases: With Curve and Wild credit.
Apparently, the Bancor Team or some white hackers discovered this issue before anyone could begin draining user wallets and made attempts to rescue user funds by withdrawing them from user wallets. Subsequently, two automatic front-runners joined in, helping the Bancor Team to withdraw funds from user wallets.
As a result, it lead to that even if now such bots are used only by the community, and not used by projects, now it’s the time to integrate them into SIEM and other tools for monitoring incidents. It opens a unique opportunity for the first fair use of frontrun.
The only one question still remains, wether it is ethically correct or not? Personally, I took an easy way out and made the decision that lets me sleep the most soundly: returning the money to users is worth it.