Rubic is a cross-chain DEX aggregator which allows users to trade native tokens via the RubicProxy contract’s routerCallNative function. It will first determine whether the target Router of the necessary call entered by the user is on the protocol’s white list before redeeming.
The multi-chain exchange protocol was hacked, according to PeckShield’s monitoring, causing a loss of more than $1.4 million. 1,100 ETH were transmitted to the Tornado Cash mixing protocol by the attacker.
According to the SlowMist security team, the biggest reason for the attack was that the protocol improperly put USDC coins into the Router whitelist, which led to the theft of USDC tokens from users who were authorized to utilize the RubicProxy contract.
Only after the whitelist check, the user-supplied target Router will be called, together with the user-supplied calling data. Unfortunately, USDC coins have also been added to the Router whitelist of the Rubic protocol, which enables any user to call USDC tokens arbitrarily using the RubicProxy contract.
As a consequence, malicious users take advantage of this flaw by utilizing the routerCallNative function to contact the USDC contract and the transferFrom interface to get USDC tokens from users who are authorized to utilize the RubicProxy contract on their behalf.