Yieldly HDL Distribution Pool Exploit

    This dashboard is the report of a data driven investigation of the HDL pool attack.

    Loading...
    Loading...
    Loading...

    This graph shows the activities of suspected wallets on March 5th.

    We can see they performed several stake-withdraw in a same day.

    Loading...
    Loading...
    Loading...

    Introduction

    On March 5th 2022, Yieldly, the prominent DeFi platform built on Algorand, announced they had found wallets abusing the HDL Distribution pool.

    > Based on an initial code analysis, a bot has been using the timing parameters around claiming rewards to glitch the HDL distribution pool Teal 5 contract (HDL -> HDL). As a result, the bot has been able to claim a disproportionate share of HDL rewards.

    This dashboard is the report of a data driven investigation of this incident.

    Investigation

    First, to have a better idea on the context I charted the number of transactions involved Teal 5 in a broader time frame, between 15-2-2022 and current_date.

    As can be seen, the unusual activities undertaken on only few days around March 5th.


    I zoomed in on the time period between 2022-03-4_6 to see whether the unusual activities on the 5th are abusive transactions or transactions caused by the announcement.

    The announcement was published at 10.47 GMT. We see an increase in transactions in the three hours then after. But the unusual activities seem still undertaking.


    So far, we have understood that there were an unusual amount of transactions around the 5th of March which has not stopped by the announcement.

    Therefore, I looked into the number of transactions per wallet on March 5th.

    A pattern is observable. Top 20 wallets in terms of number of transactions are distinguishable. Those 20 wallet have more than 2527 transactions. The difference between 20 and 21 is significant.

    Loading...


    I tried to see the activities of top 20 in a broader time. Interestingly, we can see these 200 wallets had transactions with Teal 5 only in three days. The wallet with rank of 21 and the higher ranked has transactions in other dates.

    More interestingly, on March 8th the top 20 had equal number of transactions (bot-like activity).

    From this moment on, I categorized these 20 wallets as 'suspected wallets'.

    The table below shows that between '2022-03-01' and '2022-03-10' the average number of transactions per wallet for the group of suspected wallets is significantly higher than the other wallets.

    I became pretty sure that these suspected wallets are actually those who have committed the abusive actions.

    Then, I delved into the type of actions.

    Again I started by zooming out and compare the three days with the other normal days in terms of type of actions.

    We can see before March 5th the dominant action was staking. However, on March 4th to 6th we have almost the same number of staking as withdrawas.

    Conclusion

    I found that the number of transactions on 5th March, 2022 sparked. Through breaking the data into wallets I identified 20 suspected wallets that they had unusual number of transactions on March 5th.

    Then, I looked into the actions and found out they almost did the same withdraw as stake.

    The bots to take advantage of the bug in smart contract had to stake, as the problem was in withdrawals.

    note: these wallets are only wallets that were exploited for this attack on March 5th. These are not the same wallets that started attacking before March 5th. Using this method we can also identify those wallets as well. The starting point should be ranking the wallets based on their number of transactions (with the pool) ,this time, on March 4th.