Token Bonding Curve: Vulnerability Report
Last week one of the members of our community brought to our attention that there was a vulnerability in MetaSoccer’s Token Bonding Curve (TBC). This vulnerability was not exploited; we halted trading immediately and solved the issue within 24 hours.
Once again, we’d like to assure you that it’s completely safe to continue your transactions there. However, because transparency is one of our main values, we’d like to share with you more details about this occurrence.
How could the contract be exploited?
As you may know, a TBC is a smart contract that has control over the token supply, and it continuously mints and burns tokens. It acts as an on-chain automated market maker (AMM) that ensures liquidity for anyone willing to enter or exit the metaverse. Usually, the price increases when minting and decreases when burning.
You can check more details in this video.
Our custom TBC contract allowed anyone to open orders for any wallet that had previously approved the TBC contract to spend all of their DAI and $MSU, potentially forcing them to buy and sell. While the order proceeds will still have gone to the wallet paying for it, this will have allowed a potential attacker to push the price of $MSU up or down and take profit from these artificial movements as a consequence of the attack.
For example, a potential exploiter could have bought a large amount of $MSU, then forced buys from other wallets by profiting from the vulnerability and selling the $MSU at a profit afterward. This potential exploiter then could have forced sells from the same wallets to start the process again.
Fortunately, this activity never occurred because a kind member of our community safely reported this to us before any damage was done. Thanks goes to CATOPUSofCRYPTO!
Why wasn’t this reported during audits?
When developing the TBC contract, and in the respective tests, MetaSoccer expected to use an approval limited to the amount for a given order — after the order was processed, the contract shouldn’t have any remaining approvals to keep spending users’ funds. This meant each trade on the TBC required three transactions (Approval, Create Order, Claim Order), so when we started testing its UX we granted “infinite” approval: Users needed to sign three transactions for the first trade, and only two transactions would be required for the following ones. And that’s where the vulnerability was introduced.
So, we could say the contract itself was safe, but interactions within it were not. That’s why it was difficult to catch this problem in the TBC audits.
How it was fixed?
The previous TBC contract was halted as soon as the problem was reported, and the team focused on fixing the vulnerability and deploying the new, fixed contract as soon as possible. It took less than 24 hours to complete the whole process, but it was enough to push the $MSU price down to around €0.09/$0.095.
We didn’t want to penalize our community with this price dump, so we bought back $MSU to compensate for the dump just before the new Token Bonding Curve started trading, bringing back the MSU price to around €0.11/ $0.12.
Introducing MetaSoccer’s Bug Bounty Program
We take security very seriously, and we want to take this opportunity to formally announce our Bug Bounty Program. While we do our best to make sure the MetaSoccer ecosystem is as secure as possible, we’re also aware that we’re dealing with cutting-edge technology and the risks involved. We believe a healthy community and aligned incentives are the best way to be protected against these risks, and a generous Bug Bounty Program is key for this.
With this program we want to recognize the importance and value of security researchers’ efforts in helping keep our community safe. Rewards will be attributed to anyone who responsibly reports any bug or malfunction related to the smart contracts or other parts of the MetaSoccer ecosystem that may have an impact on users and project assets.
Responsible investigation and reporting include, but is not limited to, the following:
- Do not violate the privacy of other users, destroy data, or disrupt MetaSoccer services.
- Do not target physical security measures or attempt to use social engineering, spam, distributed denial of service (DDOS) attacks, and the like.
- Report the bug only to us and not to anyone else — public disclosure of a vulnerability makes it ineligible for a reward.
- Provide us a reasonable amount of time to fix a vulnerability prior to sharing details of the vulnerability with any other party.
Rewards will be decided on a case-by-case basis at the sole discretion of the MetaSoccer team, based on the chart below.
Issues that have already been submitted by another user or are already known to the MetaSoccer team are not eligible for bounty rewards.
Responsible disclosure can be made by emailing firstname.lastname@example.org. Try to include as many details as possible about the vulnerability, potential impact, steps for reproducing it as well as possible fixes. Please allow two days for a response before sending another email.
We continue to improve MetaSoccer’s ecosystem daily, and we always count on our community to help us with feedback. We’re in this together!