Market.xyz / Hundred-clone Exploit — Curve LP Read-Only Reentrancy Inflates Collateral Price

Source & credit. Exploit reproduction, trace data, and analysis adapted from DeFiHackLabs by SunWeb3Sec — an open registry of reproduced on-chain exploits. Standalone Foundry PoC and full write-up: 2022-10-Market_exp in the evm-hack-registry mirror. Upstream DeFiHackLabs PoC: src/test/…/Market_exp.sol.

Vulnerability classes: vuln/reentrancy/read-only · vuln/oracle/price-manipulation

Reproduction: the PoC compiles & runs in an isolated Foundry project at this project folder (the umbrella DeFiHackLabs repo contains many unrelated PoCs that do not whole-compile, so this one was extracted). Full verbose trace: output.txt. Verified vulnerable source: the Curve crypto pool Vyper_contract.sol and the Market lending market contracts_CErc20Delegator.sol.

Key info#

TL;DR#

Market.xyz (a Fuse/Compound fork) priced its mooCurvestMATIC-MATIC collateral by reading the underlying Curve pool's get_virtual_price(). Curve's NG/crypto-pool remove_liquidity (Vyper_contract.sol:1003-1037) burns the LP token first, then pays each coin out in a loop — and for the native side it does a raw value= transfer that hands control to the receiver before self.D is updated. While the attacker's receive() holds control, the pool is in a half-finished state:

totalSupply has already been reduced by the burn, but self.D (the invariant / reserve measure) still reflects the pre-withdrawal amount.

get_virtual_price() = 10**18 * get_xcp(self.D) / totalSupply (:1335-1336) therefore returns a massively inflated value. In the trace the first read inside the reentrant callback returns 6.121e18 (output.txt:884) versus the true ~1.002e18 read a few frames later (output.txt:1249) — a ~6.1× inflation.

The attacker exploited this in one transaction:

1. Flash-loan a huge amount of WMATIC (Aave) + WMATIC & stMATIC (Balancer), deposit into the Curve pool to mint 34.55M LP.
2. Wrap the LP in Beefy (mooCurvestMATIC-MATIC, 85,901 moo-shares), supply it to the Market collateral market, and mint 429,507 cTokens.
3. Call Curve remove_liquidity(...) — during the native-MATIC payout, re-enter via receive() and call mMAI.borrow(250,000). Because the borrow's solvency check reads the inflated get_virtual_price, the collateral appears ~6× over-valued and the 250,000 MAI borrow is approved.
4. Let the now-undercollateralized self-position be liquidated by the attacker's own Liquidator (repay 70,420 MAI, seize 429,420 collateral cTokens, redeem the Beefy shares back).
5. Unwind: pull all liquidity back out of Curve, swap MAI→USDC→WMATIC, repay both flash loans, keep the difference.

Net retained at the end of the PoC: 172,389 WMATIC (and ~1 stMATIC dust).

Background — the price stack#

Market.xyz on Polygon let users supply mooCurvestMATIC-MATIC (a Beefy auto-compounding vault whose "want" is a Curve stMATIC/WMATIC LP token) as collateral, and borrow MAI (miMATIC) against it.

The collateral USD value is assembled through a chain of oracle reads (all visible in the trace):

Because getPricePerFullShare and the Beefy LP oracle are linear in the LP token's get_virtual_price, inflating get_virtual_price inflates the final collateral price by the same factor. In the trace the inner Beefy/Curve LP price price(stMATIC_f) came back as 0.003874e18 (output.txt:851) and the final getUnderlyingPrice(collateral 570Bc2) returned 0.004059e18 (output.txt:808 path return at L?) — both carrying the ~6× inflation from the reentrant get_virtual_price read.

Relevant on-chain magnitudes at the fork block:

The vulnerable code#

1. Curve remove_liquidity — burn first, pay out (with reentrancy) before updating D#

@external
@nonreentrant('lock')
def remove_liquidity(_amount: uint256, min_amounts: uint256[N_COINS],
                     use_eth: bool = False, receiver: address = msg.sender):
    """
    This withdrawal method is very safe, does no complex math
    """
    lp_token: address = self.token
    total_supply: uint256 = CurveToken(lp_token).totalSupply()
    CurveToken(lp_token).burnFrom(msg.sender, _amount)          # ← (1) totalSupply reduced NOW
    balances: uint256[N_COINS] = self.balances
    amount: uint256 = _amount - 1

    for i in range(N_COINS):
        d_balance: uint256 = balances[i] * amount / total_supply
        ...
        coin: address = self.coins[i]
        if use_eth and coin == WETH20:
            raw_call(receiver, b"", value=d_balance)            # ← (2) NATIVE transfer ⇒ receive() reenters
        else:
            ...
    D: uint256 = self.D
    self.D = D - D * amount / total_supply                      # ← (3) self.D updated only AFTER the loop

Vyper_contract.sol:1003-1037

The @nonreentrant('lock') modifier protects the pool's own state-mutating functions from re-entry, but it does not protect @view reads. Between step (1) and step (3), an external observer that calls a view function sees totalSupply already shrunk while self.D is still large.

2. The view that becomes a lie mid-execution#

@external
@view
def get_virtual_price() -> uint256:
    return 10**18 * self.get_xcp(self.D) / CurveToken(self.token).totalSupply()

Vyper_contract.sol:1335-1336

@view ⇒ no lock guard ⇒ callable during the reentrancy window. With a numerator (get_xcp(D)) frozen at the old reserves and a denominator (totalSupply) already reduced by the burn, the quotient spikes.

3. The consumer that trusts it — BeefyVaultV6.getPricePerFullShare#

function getPricePerFullShare() public view returns (uint256) {
    return totalSupply() == 0 ? 1e18 : balance().mul(1e18).div(totalSupply());
}

BeefyVaultV6.sol:1139-1141

getPricePerFullShare itself is fine; the bug is that the Market LP oracle multiplies it by the manipulated Curve get_virtual_price, so the cToken collateral value carries the inflation.

4. The borrow path that reads the price during reentrancy#

The reentrant receive() calls mMAI.borrow(250_000e18) (test/Market_exp.sol:171-175). The Market borrowAllowed solvency check calls getUnderlyingPrice(collateral) (output.txt:808), which walks the oracle chain above and reaches the inflated get_virtual_price (output.txt:878-884). The position passes the liquidity check and 250,000 MAI is emitted (output.txt:1010 — emit Borrow(borrowAmount: 250000e18, …)).

Root cause#

A Compound/Fuse-style money market computed the USD value of LP-derived collateral by reading an instantaneous, manipulable view (get_virtual_price) on a Curve pool, and that view is not safe to read while the pool is mid-remove_liquidity:

1. Burn-before-settle ordering. Curve reduces LP totalSupply (the price denominator) at the very start of remove_liquidity, but only updates self.D (the numerator basis) after transferring coins out.
2. A reentrancy handoff in between. For the native (WMATIC) leg, the pool uses raw_call(receiver, b"", value=d_balance), which invokes the recipient's receive() while the pool is half-settled.
3. @view functions are not lock-guarded. @nonreentrant('lock') blocks re-entering writes but permits reading get_virtual_price in the inconsistent state — the textbook read-only reentrancy condition.
4. The lending oracle trusted it unconditionally. Market's LP/Beefy oracle multiplied getPricePerFullShare by the live get_virtual_price with no reentrancy guard, TWAP, or sanity bound, so the inflated number flowed straight into the borrow solvency check.

Measured inflation in the trace:

A single reentrant read priced the collateral ~6.1× too high.

Preconditions#

• A money market that uses a Curve pool's get_virtual_price() (directly, or transitively via a vault token like Beefy) as a live collateral price source, with no read-only-reentrancy guard / no TWAP / no bound on the result.
• A Curve pool variant whose remove_liquidity performs an external transfer (native value= send, or a token with a transfer hook) before it finalizes self.D — true for this stMATIC/WMATIC crypto pool when withdrawing the WMATIC leg with use_eth = true.
• An attacker contract with a payable receive() that re-enters the lending market's borrow().
• Working capital to mint a large LP position and supply it as collateral — fully flash-loanable. The PoC sources it from Aave (15.42M WMATIC, test/Market_exp.sol:81-92) nested inside Balancer (34.58M WMATIC + 19.66M stMATIC, test/Market_exp.sol:108-118), all repaid in the same tx.

Step-by-step attack walkthrough (with on-chain numbers from the trace)#

The Curve pool's token0 = stMATIC, token1 = WMATIC. All figures are taken from the trace events in output.txt.

Final retained balances logged by the PoC (output.txt:6-9):

 Attacker's profit:
  stMATIC: 1
  WMATIC: 172389

Profit / loss accounting#

The profit is the difference the attacker keeps after both flash loans are repaid. The 250,000 MAI borrowed against over-priced collateral is the value injected; the self-liquidation lets the attacker recover the over-valued collateral for far less MAI than it was credited, and the unwinding swaps convert the surplus to WMATIC.

Reported real-world loss: ~$180k of Market.xyz pool liquidity.

Diagrams#

Sequence of the attack#

Why the virtual price spikes — pool state during remove_liquidity#

Oracle chain — how the inflation reaches the borrow check#

Remediation#

1. Use a read-only-reentrancy guard when reading Curve prices. Before trusting get_virtual_price() (or any Curve view), call the pool's reentrancy-lock check pattern (e.g. withdraw_admin_fees-style or the canonical 0 / dummy remove_liquidity lock probe) so the read reverts if the pool is mid-operation. Curve later published exactly this guidance after this class of incident.
2. Don't price collateral from instantaneous AMM state. Replace the live get_virtual_price read with a TWAP/manipulation-resistant oracle, or bound the per-block change so a 6× spike is rejected.
3. Fix the ordering in the AMM (defense in depth). A pool should finalize all invariant state (self.D) before making external transfers, so no view is ever inconsistent during a callback. Curve's later pool implementations move the external transfer to the end / guard views accordingly.
4. Avoid native value= payouts with use_eth=true paths feeding untrusted receivers in any integration whose collateral is priced off the same pool; if unavoidable, ensure consumers guard their reads.
5. Add sanity bounds to the LP/vault oracle. The Beefy-LP oracle multiplying getPricePerFullShare × get_virtual_price should clamp get_virtual_price to a plausible band (e.g. [0.95e18, 1.5e18] for a stable-ish pool) and revert otherwise.

How to reproduce#

The PoC was extracted into a standalone Foundry project (the umbrella DeFiHackLabs repo has many unrelated PoCs that fail to compile under a whole-project forge build):

_shared/run_poc.sh 2022-10-Market_exp --mt testHack -vvvvv

• RPC: a Polygon archive endpoint is required (the fork pins block 34,716,800). foundry.toml uses https://polygon.drpc.org; most pruned public Polygon RPCs will fail with missing trie node at this historical block.
• The test took ~144s of fork I/O in this run.

Expected tail:

Ran 1 test for test/Market_exp.sol:MarketExploitTest
[PASS] testHack() (gas: 4238760)
Logs:

 Attacker's profit:
  stMATIC: 1
  WMATIC: 172389

Suite result: ok. 1 passed; 0 failed; 0 skipped

References (from the PoC header, test/Market_exp.sol:13-17): QuillAudits "$220k read-only reentrancy" write-up, Amber Group "Mai Finance oracle manipulation explained", and Statemind / Beosin threads. SlowMist Hacked classifies this under Market.xyz / Curve read-only reentrancy on Polygon, ~$180k.

Sources & further analysis#

Reproductions & code

• Standalone PoC + full trace: 2022-10-Market_exp (evm-hack-registry mirror).
• Upstream DeFiHackLabs PoC: Market_exp.sol.
• Attack transaction: view on explorer.

Alerts & third-party analyses

• DeFiHackLabs incident explorer: search "Market.xyz / Hundred-clone Exploit".
• Web3Sec X hacked database: search.
• Rekt leaderboard: search.
• Solodit incident search: search.

These dashboards index community alerts tweets, post-mortems, and independent write-ups. Reach them through the protocol name above to cross-check this reproduction against other analyses.