Gym Network is a yield aggregator on Binance Smart Chain (BSC) that allows users to deposit tokens such as BUSD to earn yield in BSC DeFi. Once deposited, users earn GYMNET tokens as reward. The yield from BSC DeFi is used to buy back and burn GYMNET.
On June 8 2022, a hacker bypassed the deposit process, minting GYMNET tokens for themselves directly.
The Gym devs failed to include a “call verification” on the depositFromOtherContract() method, and so the hacker could simply call the method and mint as much GYMNET as they wanted without having to deposit any BUSD. $2.1m was stolen.
So why couldn’t this hack have happened on Radix’s upcoming Babylon release?
On Radix, tokens are native first-class features of the platform. Tokens live in vaults inside smart contract components, and are physically passed between vaults through “buckets”.
If “Gym Network” were built on Radix, users would have direct custody of their tokens in their own account component (instead of the tokens living in a balance sheet in someone else’s smart contract).
To deposit their BUSD, a user sends these to the “Gym Network” vault. When being passed between vaults, tokens must be placed in a bucket, which is a temporary container for tokens that must be empty by the end of the transaction.
Only after those tokens have been physically received via a bucket, with Radix Engine validating the correct tokens are placed in the correct vault, will “Gym Network” on Radix check how many tokens have been received and mint GYMNET to send back to the user.
With the validation of tokens being performed by Radix Engine, instead of left to the developer, if the hacker attempted this hack on Radix, the hack would fail immediately, as there is no way to call “Gym Network” to mint GYMNET, without a bucket containing real BUSD.
With Solidity devs responsible for all token and validation logic where mistakes are easy, it’s no wonder they spend up to 90% of their time validating and securing their code, and only 10% on actual functionality.
DeFi developer productivity needs its “Game Engine” moment, with all the hard stuff, like token logic and validations, handled by the platform itself.
To find out how Radix Engine provides these features, see: https://www.radixdlt.com/post/radix-engine-v2-an-asset-oriented-smart-contract-environment
For the last in the Rekt Retweet series:
Rekt Retweet #11: Re-entrancy - Why the $11m Agave and Hundred Finance hacks could NEVER happen on Radix