link.png

ID:

harvest-finance-1119

Date:

Status:

Incident Count:

October 20, 2021

Near-Miss

3

info.png
target.png
REKT

Contributor:

chain.png

web3rekt.com

KYC By:

KYC:

None

info.png

Audit By:

Audits:

Least Authority, Haechi, Peckshield, Certik

Loss Amount:

-

info.png

Recovered:

-

Rewards:

200,000

Currency:

USD

info.png

Key Indicators

Platform:

Type:

Category:

Method:

Data Sources:

Ethereum

Protocol

Yield Aggregator

Near-Miss

Extended Method:

Uninitialized proxies bug

info.png

Days in Operation:

769

(2.11 Years)

chain.png
chain.png
chain.png
chain.png
datasource.png

The Dedaub team, auditors and creators of the tool https://contract-library.com/, filed a submission via Immunefi for uninitialized implementation contracts for Uniswap V3 vault proxies found in the well-known Ethereum protocol, Harvest Finance.

This critical bug could have led to the self-destruction of the implementation contract, which could have rendered the proxy contracts useless. This is because of the upgradeable proxy pattern used: one with the upgrade logic residing within the implementation contract rather than the proxy.

Dedaub was paid $100,000 by Harvest Finance, and an additional $100,000 from Armor, due to Harvest’s participation in Armor Finance’s bug bounty matching program.

The vulnerability lies in how upgradeToAndCall() works internally with regard to Universal Upgradeable Proxy Standard (UUPS). Apart from changing the implementation address to a new one, it atomically executes any migration/initialization function using DELEGATECALL and the data passed along it. If the initialization function of the new implementation executes the SELFDESTRUCT opcode, the DELEGATECALL caller (the implementation contract) will be destroyed. This happens because updateToAndCall() is using DELEGATECALL, and in the case of calling this function directly, SELFDESTRUCT is executed in the context of the implementation contract.

info.png

DISCLAIMER: While web3rekt has used the best efforts in aggregating and maintaining this database, this web site makes no representations or warranties with respect to the accuracy or completeness of its information and data herein, and specifically disclaim any implied warranties of merchantability or fitness for any particular purpose. 

Under no circumstances, shall web3rekt be liable for any loss of profit or funds, any regulatory or governmental penalties, any legal costs, or any other commercial and non-commercial damages, including but not limited to special, incidental, consequential, or other damages from any or all usage of the data and information derived from this database.