link.png

ID:

port-finance-1109

Date:

Status:

Incident Count:

March 29, 2022

Near-Miss

1

info.png
target.png
REKT

Contributor:

chain.png

web3rekt.com

KYC By:

KYC:

None

info.png

Audit By:

Audits:

None

Loss Amount:

-

info.png

Recovered:

-

Rewards:

630,000

Currency:

USD

info.png

Key Indicators

Platform:

Type:

Category:

Method:

Data Sources:

Multi-chains

Protocol

Assets

Near-Miss

Extended Method:

Logic error allowing obligation collateral to be liquidated at a quicker pace than the borrow is being repaid.

info.png

Days in Operation:

501

(1.37 Years)

chain.png
chain.png
chain.png
chain.png
datasource.png

Whitehat nojob reported a critical vulnerability in Port Finance via Immunefi on March 29. If a malicious attacker had exploited the vulnerability, they could have stolen $20–25 million. But because of nojob’s responsible disclosure, no user funds were lost. Port Finance promptly patched the bug and paid the whitehat $180,000 USD and $450,000 in PORT tokens linearly vested over a year. This is the max payout for Port Finance’s bounty program.

Port Finance is a lending protocol that aims to provide an entire suite of fixed income products including variable rate lending, fixed rate lending and interest rate swaps.

Before Port Finance had patched the bug, a malicious user could have withdrawn all their obligation collaterals without paying off their full debt under certain assumptions. The Obligation::max_withdraw_value function was fixed by introducing the withdraw_collateral_ltv parameter denoting the LTV of reserve corresponding to the withdrawn collateral and calculating the maximum withdraw value as the ratio of the delta of the allowed borrow value and the borrowed value, and the reserve LTV.

info.png

DISCLAIMER: While web3rekt has used the best efforts in aggregating and maintaining this database, this web site makes no representations or warranties with respect to the accuracy or completeness of its information and data herein, and specifically disclaim any implied warranties of merchantability or fitness for any particular purpose. 

Under no circumstances, shall web3rekt be liable for any loss of profit or funds, any regulatory or governmental penalties, any legal costs, or any other commercial and non-commercial damages, including but not limited to special, incidental, consequential, or other damages from any or all usage of the data and information derived from this database.