Statemind, a leading blockchain security auditing firm, has announced that it has discovered a two-year-old exploit in the popular DeFi protocol Keep3r Network and related protocols.
Major Exploit Discovered In Keep3r Smart Contract
Keep3r is one of the projects from Andre Cronje, the brain behind the legendary DeFi project Yearn.Finance. According to the report, Statemind’s team of expert auditors found the exploit in the GuageProxyV2 contract on Keep3r Network. GuageProxyV2 contract is a unique smart contract that distributes reward tokens on the Keep3r network, and auditors found a vulnerability that could allow an attacker to boost voting weights for rewards.
This was due to an imbalance in the `_vote()` function that enabled the passing of the same tokens in the `_tokenVote` array. So, in theory, an attacker could increase the voting weight of a particular token with a relatively small balance of the tokens, thereby manipulating the balancing system within Keep3r network.
Exploit Further Discovered In Six Other Blockchain Projects
Interestingly, the exploit had been active for the past two years, but no funds had been lost. Following this discovery, Statemind submitted a report to Keep3r network, which is expected to make the necessary changes to eliminate the exploit.
Also, the smart auditing platform immediately scanned for projects with similar exploits using a smart contract sanctuary of verified contracts. This action led to the discovery of several blockchain projects with similar vulnerabilities within their smart contracts, and Statemind contacted them with their report.
In total, the exploit vulnerabilities affected six blockchain projects and five chains. These include Pickle Finance, Milky Swap, Venera Swap, Keep3r Network, and Snowball Finance.