link.png

ID:

sovryn-1147

Date:

Status:

Incident Count:

March 11, 2021

Near-Miss

1

info.png
target.png
REKT

Contributor:

chain.png

web3rekt.com

KYC By:

KYC:

None

info.png

Audit By:

Audits:

None

Loss Amount:

-

info.png

Recovered:

-

Rewards:

76,568

Currency:

USD

info.png

Key Indicators

Platform:

Type:

Category:

Method:

Data Sources:

Ethereum

Dapp

Lending

Rewards - Bug Bounties

Extended Method:

A malicious user could call borrow(), pass a valid loanId/borrower pair (each loanId maps to a borrower address), and then enter an arbitrary address for the receiver parameter.

info.png

Days in Operation:

774

(2.12 Years)

chain.png
chain.png
chain.png
chain.png
datasource.png

Sovryn is an on-chain decentralized trading and lending protocol deployed on RSK, a side chain of the Bitcoin blockchain. As a lending platform, users can both lend and borrow to and from a pool. Lending is how users earn interest on their BTC, and that interest comes from the fees which borrowers pay when they borrow BTC to engage in margin trading.

Whitehat Turbo (Discord: turbo#1177) submitted a “critical” and a “high” vulnerability in Sovryn’s smart contract to Immunefi on March 11, 2021. The critical vulnerability consisted of a failure to validate that the receiver of the proceeds of a collateralized loan was the same entity as the borrower, meaning a malicious user could request a loan based on unused collateral from another user. Effectively, this let a malicious user steal an amount equal to the amount of the collateral. The high vulnerability applied to margin trades on Sovryn. While users could be pushed into undesirable positions, no funds could have been stolen, so this vulnerability was ranked as “high”.

With recommendations from Immunefi, the whitehat was rewarded with a base payout of $50,000 for the critical vulnerability, bumped up to $76,568 because of the high vulnerability bug, which then had the 15% bonus that was in place at the time of submission and the discovery of the high vulnerability.

info.png

DISCLAIMER: While web3rekt has used the best efforts in aggregating and maintaining this database, this web site makes no representations or warranties with respect to the accuracy or completeness of its information and data herein, and specifically disclaim any implied warranties of merchantability or fitness for any particular purpose. 

Under no circumstances, shall web3rekt be liable for any loss of profit or funds, any regulatory or governmental penalties, any legal costs, or any other commercial and non-commercial damages, including but not limited to special, incidental, consequential, or other damages from any or all usage of the data and information derived from this database.