DualPools Exploit — Donation-Inflated Exchange Rate Lets 2 wei of dLINK Borrow the Whole Pool

Source & credit. Exploit reproduction, trace data, and analysis adapted from DeFiHackLabs by SunWeb3Sec — an open registry of reproduced on-chain exploits. Standalone Foundry PoC and full write-up: 2024-02-DualPools_exp in the evm-hack-registry mirror. Upstream DeFiHackLabs PoC: src/test/…/DualPools_exp.sol.

Vulnerability classes: vuln/arithmetic/rounding · vuln/arithmetic/precision-loss

Reproduction: the PoC compiles & runs in an isolated Foundry project at this project folder (the umbrella DeFiHackLabs repo contains many unrelated PoCs that do not whole-compile under forge test, so this one was extracted). Full verbose trace: output.txt. Verified vulnerable source: the dLINK money-market — dBep20Delegator (proxy 0x8fBCC8…, implementation 0xfffed596…), whose exchangeRateStoredInternal() lives in the shared VToken.sol.

Key info#

TL;DR#

DualPools is a Venus/Compound fork. Each money-market token (dLINK, dWBNB, …) prices its own shares with the classic Compound formula exchangeRate = (cash + totalBorrows − totalReserves) / totalSupply, where cash is the raw ERC20 balance of the market contract (getCashPrior, consumed by getExchangeCash() → exchangeRateStoredInternal() in VToken.sol).

The dLINK market was empty (LINK.balanceOf(dLINK) == 0, totalSupply == 0). The attacker:

1. Minted 2 wei of dLINK by depositing 2 wei of LINK → totalSupply = 2.
2. Donated 11,500 LINK directly to the dLINK contract with a plain transfer (not a mint). This raised cash to 11,500e18 while totalSupply stayed at 2.
3. The exchange rate therefore became 11,500e18 · 1e18 / 2 = 5.75e39 (confirmed in the trace: getAccountSnapshot returns mantissa 5750000000000000000000000000000000000000). The comptroller now valued the attacker's 2 dLINK at 2 × 5.75e39 = 1.15e40 underlying units = the full 11,500 LINK ≈ $231K of collateral.
4. Against this phantom collateral the attacker borrowed every other DualPools market dry — 50.07 WBNB, 0.1716 BTCB, 3.99 ETH, 6,378.8 ADA, 911.6 BUSD (~$41.9K total).
5. Redeemed the 11,500 LINK back out with redeemUnderlying(11,499.99…898). Because redeemTokens = redeemAmount / exchangeRate = 11,500e18 / 5.75e39 = 1 (integer-truncated), this redeem burned only 1 dLINK and returned all 11,500 LINK. The attacker keeps the borrowed assets and recovers the donated LINK.

The whole thing is funded by flash loans (DODO DPP pools + a PancakeSwap-V3 flash), so the attacker risks ~zero capital. Net theft = the ~$41.9K of borrowed assets.

Background — DualPools as a Compound fork#

DualPools deploys two comptrollers; the in-scope one is Dualpools (0x5E5e2802…), a Venus/Compound-style controller with markets dLINK, dWBNB, dBTCB, dETH, dADA, dBUSD. Each market is a dBep20Delegator proxy delegating to a shared implementation; the lending math (mint/redeem/borrow, exchange rate, account snapshots) is in VToken.sol.

Two facts about the fork matter for this exploit:

• Cash = raw ERC20 balance. getCashPrior() returns EIP20Interface(underlying).balanceOf(address(this)). DualPools wraps this in getExchangeCash():

  SOLIDITYCopy

  function getExchangeCash() public view returns(uint cashPlusUSDMinusLoss) {
      cashPlusUSDMinusLoss = tradeModel.cashAddUSDMinusLoss(iUSDbalance, getCashPrior(), getPriceToken());
  }
  

  (VToken.sol in the dLINK bundle). For the dLINK market iUSDbalance == 0, so getExchangeCash() is exactly the raw LINK balance. The trace confirms it: cashAddUSDMinusLoss(0, 11500e18, price) is called immediately after LINK::balanceOf(dLINK) → 11,500e18.

• Exchange rate divides by totalSupply. When totalSupply > 0:

  SOLIDITYCopy

  function exchangeRateStoredInternal() internal view returns (MathError, uint) {
      uint _totalSupply = totalSupply;
      if (_totalSupply == 0) {
          return (MathError.NO_ERROR, initialExchangeRateMantissa);
      } else {
          uint totalCash = getExchangeCash();
          (mathErr, cashPlusBorrowsMinusReserves) = addThenSubUInt(totalCash, totalBorrows, totalReserves);
          (mathErr, exchangeRate) = getExp(cashPlusBorrowsMinusReserves, _totalSupply); // cash * 1e18 / totalSupply
          return (MathError.NO_ERROR, exchangeRate.mantissa);
      }
  }
  

The collateral the comptroller credits an account is accountTokens × exchangeRate × collateralFactor × price. With accountTokens = 2 and an exchange rate the attacker can set arbitrarily high by donating underlying, the collateral is whatever the attacker wants.

The relevant live parameters at the fork block (read from the trace):

The vulnerable code#

1. Exchange rate is fully controlled by the contract's token balance#

VToken.sol → exchangeRateStoredInternal():

uint totalCash = getExchangeCash();            // == LINK.balanceOf(dLINK) for dLINK
(mathErr, cashPlusBorrowsMinusReserves) = addThenSubUInt(totalCash, totalBorrows, totalReserves);
(mathErr, exchangeRate) = getExp(cashPlusBorrowsMinusReserves, _totalSupply);
//                                  └─ exchangeRate = totalCash * 1e18 / totalSupply

getCashPrior() is the raw ERC20 balance — so a direct token transfer to the market (a "donation") raises totalCash without minting any shares. When totalSupply is tiny (here, 2), the exchange rate explodes.

2. The account snapshot the comptroller trusts uses that exchange rate verbatim#

VToken.sol → getAccountSnapshot():

function getAccountSnapshot(address account) external view returns (uint, uint, uint, uint) {
    uint vTokenBalance = accountTokens[account];                  // = 2
    ...
    (mErr, exchangeRateMantissa) = exchangeRateStoredInternal();  // = 5.75e39
    return (uint(Error.NO_ERROR), vTokenBalance, borrowBalance, exchangeRateMantissa);
}

The comptroller's getHypotheticalAccountLiquidity() multiplies vTokenBalance · exchangeRate · collateralFactor · price → the 2 wei of dLINK backs a borrow of the entire 11,500-LINK donation's worth of collateral.

3. Redeem burns shares = amount / exchangeRate, which truncates to 1#

VToken.sol → redeemFresh():

(vars.mathErr, vars.exchangeRateMantissa) = exchangeRateStoredInternal();  // 5.75e39
// redeemTokens = redeemAmountIn / exchangeRate
(vars.mathErr, vars.redeemTokens) = divScalarByExpTruncate(redeemAmountIn, Exp({mantissa: vars.exchangeRateMantissa}));
vars.redeemAmount = redeemAmountIn;
...
(vars.mathErr, vars.totalSupplyNew)  = subUInt(totalSupply, vars.redeemTokens);
(vars.mathErr, vars.accountTokensNew) = subUInt(accountTokens[redeemer], vars.redeemTokens);

redeemUnderlying(11,499.99…898 LINK) → redeemTokens = 11,499.99e18 / 5.75e39 = 1 (integer truncation). So the attacker pulls 11,500 LINK back out for the price of 1 dLINK share, leaving them with 1 dLINK still on deposit. The trace shows redeemAllowed(dLINK, attacker, 1) and redeemVerify(dLINK, attacker, 11,499.99e18, 1).

Root cause — why it was possible#

This is the canonical Compound/Venus first-depositor (a.k.a. donation) exchange-rate manipulation, made trivially exploitable because the dLINK market was empty:

1. cash is a manipulable raw balance. getCashPrior() reflects any tokens sent to the contract, including via plain transfer. A donation is indistinguishable from organic cash in the exchange-rate formula.
2. No minimum supply / no dead-shares seeding. With totalSupply == 2, the division cash / totalSupply produces a per-share value of any magnitude. A properly seeded market (large dead shares, or a virtual-shares offset) would dilute the donation to noise.
3. Collateral valuation derives directly from the exchange rate. The comptroller has no sanity bound on per-share value, no TWAP, and no check that the underlying was minted rather than donated. It blindly trusts getAccountSnapshot.
4. Redeem rounds shares down. redeemTokens = amount / exchangeRate truncates to 1, so the donated underlying is recoverable for ~free. The donation is not "burned" into the system; it is a refundable deposit that nonetheless counts as collateral while it sits there.

The combination means: deposit 2 wei → donate X → borrow ~X·CF worth of other assets → redeem X back. The protocol's other markets are drained, the attacker recovers the donation, and the only "cost" is gas + flash-loan fees.

Preconditions#

• A DualPools market with negligible totalSupply (the dLINK market was empty: totalSupply == 0, LINK.balanceOf(dLINK) == 0 before the attack).
• The empty market must be listed and usable as collateral (Dualpools.markets(dLINK) → (listed=true, collateralFactor=0.4e18, …)).
• Other markets (dWBNB, dBTCB, dETH, dADA, dBUSD) hold borrowable liquidity.
• Working capital to fund the donation + Venus side-loop. The attacker sourced it entirely from flash loans (DODO DPP flashLoan × 2, PancakeSwap-V3 flash), so no real capital was at risk. The PoC reproduces this with the same flash-loan chain.

Attack walkthrough (with on-chain numbers from the trace)#

The PoC (test/DualPools_exp.sol) nests three flash loans, then performs a small Venus mainnet detour (borrowing 11,500 LINK from real Venus using flash-loaned WBNB+BUSD as collateral) purely to obtain the 11,500 LINK used as the DualPools donation. The DualPools exploit itself is steps 4–9 below.

The decisive trace fragment (step 5→6, dLINK getAccountSnapshot inside Dualpools.borrowAllowed):

LINK::balanceOf(dLINK) → 11500000000000000000000   [1.15e22]
cashAddUSDMinusLoss(0, 11500000000000000000000, 20136523320000000000) → 0x…026f6a8f4e6380300000
getAccountSnapshot(attacker) → (0, 2, 0, 5750000000000000000000000000000000000000)   // err=0, tokens=2, borrow=0, exchangeRate=5.75e39
Dualpools.markets(dLINK) → (true, 400000000000000000, false)                          // listed, CF=0.4

5.75e39 = 11,500e18 · 1e18 / 2, exactly the inflated rate.

Profit / loss accounting#

DualPools loss (assets borrowed against the phantom collateral, valued at the oracle prices in the trace):

This matches the PoC header annotation Total Lost : ~$42000 USD.

Attacker cost: 2 wei of LINK (the initial mint(2)), fully dwarfed by the recovered 11,500 LINK donation. Flash-loan principals (DODO BUSD/WBNB, Pancake-V3 BUSD) are all repaid in-transaction; the Venus side-loop is fully unwound (vLINK.repayBorrow, vBUSD/vWBNB.redeem). Net = the ~$41.9K of DualPools assets, minus gas and flash-loan fees.

Diagrams#

Sequence of the attack#

dLINK exchange-rate state evolution#

Why 2 wei of collateral is worth $231K#

Remediation#

1. Seed every market with non-trivial dead shares at listing. Mint a chunk of shares to a burn address (or to the protocol) before the market is usable, so totalSupply can never be small enough for a donation to move the exchange rate materially. This is the standard Compound-fork mitigation.
2. Use virtual shares / virtual cash offsets in the exchange-rate formula (ERC-4626-style), e.g. exchangeRate = (cash + virtualCash) / (totalSupply + virtualShares), so the first-depositor / donation manipulation cannot inflate per-share value.
3. Do not let donated (transferred-in, never-minted) underlying count toward collateral. Track an internal totalCashMinted accounting variable updated only on mint/redeem/borrow/repay, and use it for exchange-rate and collateral math instead of the raw balanceOf. Reconcile excess raw balance into reserves rather than into share value.
4. Bound per-share value and require a minimum collateral position. Reject enterMarkets/borrow when a collateral market's totalSupply (or the account's share balance) is below a safety floor, and cap the exchange rate's growth per block.
5. Don't list empty markets as collateral. A freshly deployed market with zero organic supply should have collateralFactor = 0 until it is seeded and has meaningful liquidity.

How to reproduce#

The PoC was extracted into a standalone Foundry project (the umbrella DeFiHackLabs repo has many unrelated PoCs that fail to compile under forge test's whole-project build):

_shared/run_poc.sh 2024-02-DualPools_exp --mt testAttack -vvvvv

• RPC: a BSC archive endpoint is required (the fork block 36,145,771 is old). foundry.toml resolves the bsc alias to an archive RPC; pruned public RPCs will fail with header not found / missing trie node.
• Result: [PASS] testAttack().

Expected tail (from output.txt):

Ran 1 test for test/DualPools_exp.sol:ContractTest
[PASS] testAttack() (gas: 5089832)
...
Suite result: ok. 1 passed; 0 failed; 0 skipped; finished in 122.23s
Ran 1 test suite ...: 1 tests passed, 0 failed, 0 skipped (1 total tests)

References: Lunaray — https://lunaray.medium.com/dualpools-hack-analysis-5209233801fa (DualPools, BSC, ~$42K).

Sources & further analysis#

Reproductions & code

• Standalone PoC + full trace: 2024-02-DualPools_exp (evm-hack-registry mirror).
• Upstream DeFiHackLabs PoC: DualPools_exp.sol.
• Attack transaction: view on explorer.

Alerts & third-party analyses

• DeFiHackLabs incident explorer: search "DualPools Exploit".
• Web3Sec X hacked database: search.
• Rekt leaderboard: search.
• Solodit incident search: search.

These dashboards index community alerts tweets, post-mortems, and independent write-ups. Reach them through the protocol name above to cross-check this reproduction against other analyses.