Yield farming DeFi vulnerability

Recently, DeFi projects with a farming model have gained wide popularity. This model is that a user can stake a certain amount of TRC-20 tokens (ERC-20 on the Ethereum blockchain) and receive a reward in the form of some amount of another tokens for staking these tokens.

Before tokens staking most contracts ask the user to confirm the transaction for permission to dispose of these tokens on project contract behalf. To do this, the user must sign a transaction with a call of the approve() method on the contract of the corresponding TRC-20 (ERC-20) token. According to the ERC-20 standard, the approve() method must assume two parameters:

• address _spender — an address that is given the access to dispose of a certain number of tokens. In our case, this will be the address of the project contract or the address of the contract deployed by the factory contract.
• uint256 _value — the number of tokens that a trusted address can dispose of.

But, as our research shows, most of the farming projects contracts pass a negative number as the second parameter of this method. Thus, when the approve() method is called, an overflow of the uint256 type occurs and the user actually allows to the contract the right to dispose of the entire amount of tokens on his balance.

The is how transaction looks like in the Tron blockchain (Fig. 1).

Fig. 1 - Approve tokens for dispose of transaction in the Tron blockchain.

You can check the number of tokens allowed to dispose of by calling the allowance() method of the tokens contract and passing the tokens owner’s address and trusted contract address to it (Fig. 2).

Fig. 2 - Check tokens amount allowed to dispose of.

As you can see from the example (Fig. 2), we have transferred a huge number of tokens to the disposal. In fact, this number is much more than the actual number of tokens at any address of these tokens holders. This gives the project contract the right to dispose of all the tokens of those project participants who gave access to the tokens in such way.

If the contract implements a method that can only be called by the project owner and which transfers tokens to their address (or any other address specified by them), then the project owners can withdraw tokens from the addresses of project participants. It should be stated that most of the popular farming projects have not published the source code of their contracts and at the moment it is not possible to check the presence of such method in their contracts, which does not exclude such possibility. If such method is present in the project contract then project owner can do this transfer at any time, even after farming project was closed a long time ago and participants forgot about this.

In order to protect oneself from the possibility of compromising the address and losing tokens, a project participant just needs to call the approve() method on the contract of the corresponding TRC-20 (ERC-20) token with a zero value of the tokens amount allowed to the project contract (Fig. 3). User should do this for all projects he participated and for all token contracts he participated in these projects.

Fig. 3 - Reject tokens allowance from the project contract address.

Then you can check the result by calling the allowance() method again to be sure that you don’t allow tokens anymore (Fig. 4).

Fig. 4 - Check allowance of the tokens dispose of.

Conclusions

This research was done for the TRON blockchain and the main tokens affected by this vulnerability at the time of writing can be considered:

• USDT (contract TR7NHqjeKQxGTCi8q8ZY4pL8otSzgjLj6t)
• USDJ (contract TMwFHYXLJaRUPeW6421aqXL4ZEzPRFGkGT)
• JST (contract TCFLL5dx5ZJdKnWuesXxi1VPwjLVmWZZy9)

If you have participated in any of farming projects on the TRON blockchain, check the tokens allowance of these contracts and keep your cryptocurrency safe!