UFO/UFDao (UFT) Exploit — Treasury-Share Mispricing on a Tiny-Supply LP Token

Source & credit. Exploit reproduction, trace data, and analysis adapted from DeFiHackLabs by SunWeb3Sec — an open registry of reproduced on-chain exploits. Standalone Foundry PoC and full write-up: 2023-01-UFDao_exp in the evm-hack-registry mirror. Upstream DeFiHackLabs PoC: src/test/…/UFDao_exp.sol.

Vulnerability classes: vuln/logic/price-calculation · vuln/arithmetic/precision-loss

Reproduction: the PoC compiles & runs in an isolated Foundry project at this project folder. It forks BSC state offline from a local anvil node (createSelectFork("http://127.0.0.1:8546", 24_705_058)), so no public RPC is required. Full verbose trace: output.txt. Verified vulnerable sources: contracts_core_LP.sol (UFT token), contracts_core_Shop.sol (SHOP), contracts_core_Dao.sol (UF DAO).

Key info#

TL;DR#

1. UFO/UFDao ("UF") is a DAO-as-a-service vault. Each DAO holds a treasury of tokens at its own contract address and issues an ERC-20 LP token (here UFT, 0xf887A2…) whose burn redeems a pro-rata share of that treasury.
2. The redemption share is computed as _share = 1e18 * amount / totalSupply() in LP.burn (contracts_core_LP.sol:68), and Dao.burnLp then pays share/1e18 of every token the DAO holds (contracts_core_Dao.sol:347-362).
3. The UFT totalSupply at the fork block was only 6.8 UFT (output.txt:100, storage slot 3 = 0x5e5e73f8d8a80000), while the UF DAO held ~90,112 USDC of treasury (output.txt:111). The "price" of 1 UFT in USDC was therefore ~13,252 — but the public offer minted UFT ~1:1 with USDC (see Why each magic number).
4. Shop.buyPublicOffer (contracts_core_Shop.sol:138-165) is a permissionless, nonReentrant swap: anyone can mint UFT by paying USDC to the DAO, in whatever amount they choose.
5. The attacker swaps 0.4 WBNB → 111.62 USDC, calls buyPublicOffer(UF, 111.62e18) minting 111.62 UFT (now holding 111.62 / 118.42 = 94.26% of LP supply), then calls UFT.burn(111.62e18, [USDC], [], []) which redeems 94.26% of the DAO's entire USDC treasury = 84,937.90 USDC (output.txt:115).
6. The attacker repeats once more with 1,000 USDC: mints 1,000 UFT (99.32% of supply), burns, and redeems 6,132.69 USDC of the residual treasury (output.txt:159).
7. Net result: the attacker walks away with 90,070.59 USDC, having paid back only ~1,111.62 USDC into the DAO. The DAO treasury's USDC is drained to dust. No reentrancy is involved — the loss is pure arithmetic: an unsafely-priced LP redeeming against a treasury whose value far exceeds the LP supply that supposedly tokenizes it.

Background — what UFDao does#

UFDao is a "no-code DAO" factory: a Factory deploys a Dao (an ERC-20 called GT, governance token, transfers disabled) plus an LP token (here UFT) that tokenizes a pro-rata claim on the DAO's treasury. Three contracts matter:

• Dao (source) — the treasury vault. It holds ETH and arbitrary ERC-20s. Its burnLp (callable only by the LP token) sends a caller a _share/1e18 fraction of everything it holds.
• LP (source) — the UFT ERC-20. mint is onlyShop; burn redeems against the DAO.
• Shop (source) — the permissionless marketplace. buyPublicOffer(dao, lpAmount) pulls (lpAmount * rate) / 1e18 of currency from the caller into the DAO, then mints lpAmount LP to the caller.

On-chain parameters at the fork block (read directly from the trace and storage dumps):

The offer rate is not printed in the trace, but it is recoverable: buyPublicOffer transfers (_lpAmount * rate) / 1e18 USDC from the caller to the DAO and mints exactly _lpAmount LP. The attacker passed amount = USDC.balanceOf(this) = 111,622,391,174,831,097,929 wei (output.txt:85) as _lpAmount, and exactly that many wei of USDC were transferred and that many UFT minted (output.txt:97) — so rate ≈ 1e18 (1:1).

The vulnerable code#

1. LP.burn computes the redemption share from the (tiny) totalSupply#

function burn(
    uint256 _amount,
    address[] memory _tokens,
    address[] memory _adapters,
    address[] memory _pools
) external nonReentrant returns (bool) {
    require(burnable, "LP: burning is disabled");
    require(msg.sender != dao, "LP: DAO can't burn LP");
    require(_amount <= balanceOf(msg.sender), "LP: insufficient balance");
    require(totalSupply() > 0, "LP: Zero share");

    uint256 _share = (1e18 * _amount) / (totalSupply());   // ⚠️ share of the ENTIRE DAO treasury

    _burn(msg.sender, _amount);

    bool b = IDao(dao).burnLp(
        msg.sender,
        _share,
        _tokens,
        _adapters,
        _pools
    );
    require(b, "LP: burning error");
    return true;
}

(contracts_core_LP.sol:57-83)

_share is a fraction in [0, 1e18]. With totalSupply = 6.8e18, burning 111.62e18 UFT yields _share = 1e18 * 111.62e18 / 118.42e18 ≈ 0.9426e18 — i.e. 94.26% of the entire DAO treasury, not 94.26% of what the attacker just deposited.

2. Dao.burnLp pays that share of every token the DAO holds#

function burnLp(
    address _recipient,
    uint256 _share,
    address[] memory _tokens,
    address[] memory _adapters,
    address[] memory _pools
) external nonReentrant returns (bool) {
    require(lp != address(0), "DAO: LP not set yet");
    require(msg.sender == lp, "DAO: only for LP");
    ...
    // ETH
    payable(_recipient).sendValue((address(this).balance * _share) / 1e18);

    // Tokens
    if (_tokens.length > 0) {
        uint256[] memory _tokenShares = new uint256[](https://github.com/sanbir/evm-hack-registry/blob/main/2023-01-UFDao_exp/_tokens.length);
        for (uint256 i = 0; i < _tokens.length; i++) {
            _tokenShares[i] = ((IERC20(_tokens[i]).balanceOf(address(this)) * _share) / 1e18);
        }
        for (uint256 i = 0; i < _tokens.length; i++) {
            IERC20(_tokens[i]).safeTransfer(_recipient, _tokenShares[i]);
        }
    }
    ...
}

(contracts_core_Dao.sol:304-362)

The redemption amount for each token is (DAO.balanceOf(token) * _share) / 1e18 — the entire DAO balance, with no deduction for what was just paid in, and no oracle/TWAP. Whatever USDC the DAO has accumulated from all prior depositors is up for grabs.

3. Shop.buyPublicOffer lets anyone mint LP at a fixed (under-priced) rate#

function buyPublicOffer(address _dao, uint256 _lpAmount)
    external
    nonReentrant
    returns (bool)
{
    require(IFactory(factory).containsDao(_dao), "Shop: only DAO can sell LPs");

    PublicOffer memory publicOffer = publicOffers[_dao];
    require(publicOffer.isActive, "Shop: this offer is disabled");

    IERC20(publicOffer.currency).safeTransferFrom(
        msg.sender,
        _dao,
        (_lpAmount * publicOffer.rate) / 1e18          // ⚠️ fixed rate, ignores treasury value
    );

    address lp = IDao(_dao).lp();
    bool b = ILP(lp).mint(msg.sender, _lpAmount);      // ⚠️ mints exactly _lpAmount
    require(b, "Shop: mint error");
    return true;
}

(contracts_core_Shop.sol:138-165)

The caller picks _lpAmount freely. The cost in currency is a linear function of _lpAmount only (rate), independent of the treasury size or the current LP supply. So minting a huge slice of a tiny LP supply costs only lpAmount * rate / 1e18 — a fraction of what that slice will redeem for.

Root cause — why it was possible#

The system conflates two incompatible pricing models:

1. The mint price is a fixed exchange rate (buyPublicOffer: USDC in → UFT out, linear in _lpAmount).
2. The redeem price is a vault-share of the entire treasury (burn / burnLp: UFT in → _share × DAO_total_balance out).

For these to be safe together, the invariant 1 UFT mint-cost ≥ (1 UFT) × (treasury / totalSupply) must always hold. Concretely, the offer rate must satisfy:

rate  ≥  1e18 * (treasury_USDC) / (totalSupply)

At the fork block the right-hand side was 1e18 * 90,112 / 6.8 ≈ 1.33e22, but the offer rate was ~1e18 — four orders of magnitude too low. The DAO team had configured a 1:1 USDC→UFT offer against a treasury that was worth ~13,252× the LP supply, then never re-priced the offer as the treasury grew (or the supply stayed tiny). Anyone could mint UFT cheaply and redeem them against the full treasury.

Two structural features made it trivially exploitable:

• Permissionless mint. buyPublicOffer has no allow-list, cap, or per-address limit. The attacker chose _lpAmount large enough to dominate totalSupply.
• Tiny LP supply. Only 6.8 UFT were outstanding, so a single ~111-UFT mint captured >94% of the redemption share. (This is the donation / first-depositor family of bugs inverted: instead of the attacker donating to inflate the denominator, here the denominator is already tiny and the numerator — the treasury — is huge.)

Note: the original DeFiHackLabs comment and several secondary write-ups label this a "reentrancy." The trace shows no reentrancy — buyPublicOffer, LP.burn, and Dao.burnLp are all nonReentrant, and no external callback re-enters any of them. The empty _adapters/_pools arrays in the PoC mean the adapter path (the only place burnLp makes an external call to a user-supplied address) is never taken. The loss is purely the mispricing above.

Preconditions#

• An active public offer on the target DAO (publicOffers[dao].isActive == true) with a rate far below the implied treasury-backing per LP token. Verified: buyPublicOffer succeeds at output.txt:82 and output.txt:126.
• A small LP totalSupply relative to the DAO treasury. At the fork: totalSupply = 6.8 UFT, treasury ≈ 90,112 USDC.
• Working capital in the offer currency (USDC). The attacker needs only enough USDC to mint a controlling LP share; the PoC sources it from a 0.4 WBNB PancakeSwap swap (~111.62 USDC) for round 1 and recycles proceeds for round 2.
• The DAO must not be the caller of LP.burn (require(msg.sender != dao), contracts_core_LP.sol:64) — any other address is fine.

Attack walkthrough (with on-chain numbers from the trace)#

All figures are from output.txt; raw wei with human (18-dec) approximations.

The DAO's USDC treasury is drained from ~90,112 to ~41.71 USDC (dust). The attacker's final balance, 90,070.588320368098073575 USDC, matches the PoC's log_named_decimal_uint exactly (output.txt:178).

Profit / loss accounting (USDC, raw wei then human)#

(The "~89,958.97 net" line is profit above the 111.62 USDC seed the attacker minted from WBNB; the attacker's actual end balance is 90,070.59 because the seed USDC is never returned to WBNB — it stays as USDC. Both reconcile to the single asserted Attacker USDC balance after exploit log line.)

Diagrams#

Sequence of the attack#

Treasury / LP-share evolution#

The flaw inside buyPublicOffer → burn → burnLp#

Why each magic number#

• 4 * 1e17 wei (0.4 WBNB) — the funding swap (UFDao_exp.sol:47): just enough WBNB through PancakeSwap to obtain the seed USDC for round 1. The amount is arbitrary; it only needs to exceed the gas cost of the round-1 mint. It yielded 111,622,391,174,831,097,929 wei (111.62 USDC) (output.txt:60).
• amount = USDC.balanceOf(this) for round 1 (UFDao_exp.sol:51): the attacker deposits the entire seed as _lpAmount. With totalSupply = 6.8, this mints 111.62 UFT and captures 111.62 / 118.42 = 94.26% of the redemption share — enough to drain the bulk of the treasury in one shot. The PoC uses the full balance (rather than a computed optimum) because any amount > ~6.8 UFT already yields a majority share; using the whole balance maximizes round-1 extraction and leaves less residual to chase.
• 1000 * 1e18 for round 2 (UFDao_exp.sol:58): after round 1, totalSupply is back to 6.8 UFT and the residual treasury is ~5,174 USDC (implied ~761 USDC/UFT — still wildly mispriced vs the 1:1 offer). Minting 1,000 UFT captures 1000 / 1006.8 = 99.32% for only 1,000 USDC, redeeming 6,132.69 USDC. A second iteration is needed because the share formula is amount / (supply + amount) — a single burn can never reach 100%, so a second (and optionally third) pass harvests the residual.
• tokens = [USDC], adapters = [], pools = [] (UFDao_exp.sol:53-56): the attacker redeems only USDC (the valuable treasury asset) and skips the adapter path entirely — adapters must be DAO-whitelisted (adapters.contains, contracts_core_Dao.sol:372), so none are usable. The empty arrays also confirm the exploit does not rely on any adapter callback (i.e., not reentrancy).

Remediation#

1. Never price LP mint/redeem against a moving treasury without an invariant. The offer rate must always satisfy rate >= 1e18 * treasury / totalSupply (per token). Either compute the price dynamically from balanceOf(dao) / totalSupply() at mint time (a proper vault-share formula like ERC-4626), or enforce the invariant with a revert if a mint would make redemption profitable.
2. Bound the LP supply / use a vault-share model. The donation-style attack works because totalSupply can be driven to a controlling fraction in one mint. Use a first-depositor + virtual-share offset (cf. OpenZeppelin's ERC4626DecimalMixin / OZ's ERC4626 first-depositor fix: mint a small virtual reserve and donate it so that no single mint can exceed a sane share).
3. Re-price or disable offers as the treasury grows. The DAO team left a 1:1 USDC→UFT offer live while the treasury held ~13,252× the LP supply in USDC. Offers should auto-pause if treasury / totalSupply exceeds rate by any margin (an on-chain sanity check in buyPublicOffer).
4. Add a mint cap / per-tx cap. buyPublicOffer accepts an arbitrary _lpAmount. A per-tx or per-block cap on minted LP (relative to totalSupply) would have prevented a single mint from capturing 94% of the share.
5. Don't let burnLp redeem the entire balance unconditionally. At minimum, separate the "fair share" (what each LP is actually backed by, i.e. treasury * user_LP / totalSupply) from "what was deposited" accounting, and audit the relationship. The current code has no separation — any USDC the DAO accrues (from any source) becomes instantly redeemable by LP holders.

How to reproduce#

The PoC forks BSC state offline from a local anvil node. setUp calls createSelectFork("http://127.0.0.1:8546", 24_705_058) (UFDao_exp.sol:36); the fork block's state is served from the bundled anvil_state.json via the shared harness, so no public RPC is required (and foundry.toml defines no RPC URL).

_shared/run_poc.sh 2023-01-UFDao_exp --mt testExploit -vvvvv

• EVM: evm_version = "cancun" in foundry.toml (the PoC also runs on earlier EVMs; nothing cancun-specific is used).
• Test contract: ContractTest; test function: testExploit().

Expected tail (verbatim from output.txt:4-7 and output.txt:178):

Ran 1 test for test/UFDao_exp.sol:ContractTest
[PASS] testExploit() (gas: 316606)
Logs:
  Attacker USDC balance after exploit: 90070.588320368098073575

Suite result: ok. 1 passed; 0 failed; 0 skipped; finished in 8.40s (7.64s CPU time)

Reference: BlockSec — https://twitter.com/BlockSecTeam/status/1613507804412940289 (UFO/UFDao UFT, BSC, Jan 2023, ~$90K USDC).

Sources & further analysis#

Reproductions & code

• Standalone PoC + full trace: 2023-01-UFDao_exp (evm-hack-registry mirror).
• Upstream DeFiHackLabs PoC: UFDao_exp.sol.
• Attack transaction: view on explorer.

Alerts & third-party analyses

• Original alert / thread: post on X.
• DeFiHackLabs incident explorer: search "UFO/UFDao (UFT) Exploit".
• Web3Sec X hacked database: search.
• Rekt leaderboard: search.
• Solodit incident search: search.

These dashboards index community alerts tweets, post-mortems, and independent write-ups. Reach them through the protocol name above to cross-check this reproduction against other analyses.