KillSwitch Farm Claiming Issue Resolved

On 5.48 AM UTC, Inspex was informed by the KillSwitch team that some users were temporarily unable to claim their $KSW reward on KillSwitch Farm. Inspex worked together with KillSwitch to find the root cause and found that there is a flaw that allowed some users to withdraw more $KSW than they should, so the balance of $KSW in the contract was not enough. This issue has been promptly solved, and the missing $KSW was fully compensated by the KillSwitch team. Therefore, there is zero financial impact on the platform users.

In this article, we will explain about the issue, and how it was resolved.

Cause

KillSwitch’s farm smart contract (PronteraV2) has a feature called Withdraw Token that allows users to withdraw the staked token and swap it to any token in one transaction.

Users can use the Withdraw Token feature by calling the withdrawToken() function.

The withdrawToken() function will swap the farming tokens to the token that the user wants and transfer it to the user’s wallet. However, in the transfer process, the transfer amount is determined by the balance of the token in the contract as seen in line 1170. This is due to an incorrect assumption that all tokens in the smart contract are from the swapping.

Normally, no token is stored in the farm smart contract as all farming tokens are transferred to their respective pools. But as $KSW emission had started, $KSW has been regularly withdrawn from the reserve contract to the farm contract. Thus, the unclaimed reward stays in the farm smart contract.

When a user withdraws the farming token by using the Withdraw Token feature by selecting $KSW as the destination token, the unclaimed $KSW allocated for the users who staked in the farms will be combined with the withdrawn amount, causing the $KSW reward to be temporary insufficient for the other users to claim.

Impact on the Platform

Some of the $KSW rewards were improperly transferred to the users who used the Withdraw Token feature to withdraw as $KSW, so that amount was missing from the smart contract. This caused the users with high pending rewards to be unable to claim their rewards when the $KSW balance in the contract was low.

Mitigation Solution

The withdrawToken() function has an external function call to the juno contract which is used to swap the farming tokens to any token that users want to receive. The KillSwitch team has mitigated this issue by verifying the token that the users wish to receive is not $KSW when using the Withdraw Token feature in the juno contract. So, this issue has been resolved.

Compensation

The KillSwitch team has decided to compensate for the missing $KSW by buying the missing $KSW from the market and depositing it back into the farm smart contract, so there will be no financial impact on the platform users.

About Inspex

Inspex is formed by a team of cybersecurity experts highly experienced in various fields of cybersecurity. We provide blockchain and smart contract professional services at the highest quality to enhance the security of our clients and the overall blockchain ecosystem.

For any business inquiries, please contact us via Twitter, Telegram, contact@inspex.co

--

--

--

Cybersecurity professional service, specialized in blockchain and smart contract auditing https://twitter.com/InspexCo

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

NEW AIRDROP 7,878,787 NCOR tokens | MAY 28TH-JUNE28TH | CORONA CRYPTO

Buglab is Reshaping Cyber Security

@Crypto_Potato....

Marine Thefts

Do I Need Avast For My Mac

Electroneum launches App update as user base continues to grow

Cracking CISM in 1st attempt!

Sacramentum Chamber Of Secrets Flag1 ctf writeup

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Inspex

Inspex

Cybersecurity professional service, specialized in blockchain and smart contract auditing https://twitter.com/InspexCo

More from Medium

Altcoin project hacked: 136,000 tokens withdrawn in seconds ⚠️

Cropper is Using Socean Streams

Proof That Farming BTCB On Beaver Results In 11.4% More Profits

Hotpot V3 52th Weekly Report