OpenLeverage (OPBorrowing) Exploit — Self-Liquidation Bad-Debt Drain via 1inch-Callback Price Manipulation

Source & credit. Exploit reproduction, trace data, and analysis adapted from DeFiHackLabs by SunWeb3Sec — an open registry of reproduced on-chain exploits. Standalone Foundry PoC and full write-up: 2024-04-OpenLeverage2_exp in the evm-hack-registry mirror. Upstream DeFiHackLabs PoC: src/test/…/OpenLeverage2_exp.sol.

Vulnerability classes: vuln/oracle/price-manipulation · vuln/dependency/unsafe-external-call

Reproduction status: the PoC compiles and the core exploit transaction (TX1: marginTrade + self-liquidate) executes successfully on a BSC archive fork, but the test as written reverts with HI0 in its second transaction. The revert is not a refutation of the bug — it is a Foundry vm.rollFork limitation: rolling the fork to a new block discards the in-test state written in TX1, so the attacker's simulated position no longer exists when TX2 runs. See Live-trace section for the full analysis. Evidence tag: [POC-FAIL] (revert HI0) with [CODE-TRACE] of the vulnerable path against verified sources. Full verbose trace: output.txt. Verified vulnerable source: contracts_OPBorrowing.sol.

Key info#

TL;DR#

OpenLeverage's OpenLevV1.marginTrade() lets a caller supply arbitrary dexData that is executed by the DEX aggregator. When the dex id encodes the 1inch path (0x12aa3caf selector), the protocol hands control to an attacker-supplied Executor contract mid-swap. The attacker uses that callback window to re-enter OPBorrowing.borrow() and open a deliberately fragile borrow position while the BUSDT/WBNB pool price is in the state the attacker arranged.

The real money is then extracted through OPBorrowing.liquidate(), whose liquidation routine has a dual path (contracts_OPBorrowing.sol:262-325):

• It first tries dexAgg.buy(...) via a low-level .call() with maxSellAmount pinned to the position's own collateral.
• If that buy reverts with "sell amount not enough" (i.e., the collateral is worth less than the debt at current prices), buySuccess == false and execution falls into the else branch, which sells the collateral, then dips into the market's insurance fund and finally calls repayBorrowEndByOpenLev to write off the remaining bad debt against the lending pool (:296-324).

Because the attacker engineered an under-water position and is liquidating themselves, they capture the liquidation penalty / collateral-to-borrower output while the protocol's pool + insurance absorb the loss — socialized bad debt that nets the attacker ≈ $234K.

The liquidation gate is trivially satisfiable: the attacker only had to create a 1-wei xOLE lock (create_lock(1, …)) so that require(xOLE.balanceOf(msg.sender) >= liquidationConf.liquidatorXOLEHeld, "XNE") passes (:233).

Background — what OpenLeverage does#

OpenLeverage is a permissionless margin-trading / lending protocol. Two in-scope subsystems matter here:

• OpenLevV1 (source) — the leveraged-trading engine. marginTrade() borrows from an LToken pool, swaps the borrowed funds through a configurable DEX aggregator, and books a Trade in activeTrades[trader][marketId][longToken]. Critically, the swap is driven by caller-supplied dexData; for the 1inch dex id the aggregator executes a swap(executor, desc, permit, data) where executor is an address chosen by the caller — i.e., an arbitrary callback.
• OPBorrowing (source) — a collateralized borrowing market. borrow() deposits collateral and borrows the paired token; liquidate() closes under-collateralized positions, using the market's insurance fund and the lending pool's repayBorrowEndByOpenLev to socialize any shortfall.

Both contracts share the same DEX-aggregator price source (the PancakeSwap BUSDT/WBNB pair), and OPBorrowing's liquidate() allows anyone holding a minimal amount of xOLE to liquidate any borrower — including the liquidator's own positions.

On-chain context at the fork block (from the trace):

The vulnerable code#

1. marginTrade executes an attacker-chosen callback (1inch path)#

marginTrade forwards the caller's dexData to the aggregator. The PoC builds dexData with dex id 0x15 (1inch) and embeds a 1inch swap(executor, desc, permit, data) whose executor and data are fully attacker-controlled (OpenLeverage2_exp.sol:145-163):

Executor executor = new Executor();
SwapDescription memory desc = SwapDescription({
    srcToken: address(WBNB), dstToken: address(BUSDT),
    srcReceiver: address(executor), dstReceiver: address(TradeController),
    amount: amountToBorrow, minReturnAmount: 1, flags: 4
});
bytes memory data = abi.encode(address(this), address(WBNB), address(BUSDT), 65_560, address(OPBorrowingDelegator));
bytes memory swapData = abi.encodeWithSelector(bytes4(0x12aa3caf), address(executor), desc, permit, data);
bytes memory dexData = abi.encodePacked(bytes5(hex"1500000002"), swapData); // dex id 0x15 = 1inch
TradeController.marginTrade(marketId, true, true, amountsOut[1], amountToBorrow, 0, dexData);

In the trace, the aggregator calls 1inch.swap(...) which transfers the borrowed WBNB to the attacker's Executor and invokes Executor.execute() (output.txt:391-399). Inside that callback the attacker (a) swaps WBNB→BUSDT on Pancake and (b) re-enters OPBorrowing via borrow() (:433-474) to seed a fragile borrow position with only 1,000,000 wei of collateral while prices are in the attacker's chosen state.

2. OPBorrowing.liquidate — the dual-path bad-debt sink#

// try to buy back the debt using the position's own collateral as max-sell
(liquidateVars.buySuccess, ) = address(dexAgg).call(
    abi.encodeWithSelector(
        dexAgg.buy.selector,
        borrowVars.borrowToken, borrowVars.collateralToken,
        borrowTokenBuyTax, collateralSellTax,
        liquidateVars.repayAmount + liquidateVars.liquidationFees, // amount to BUY (debt)
        liquidateVars.liquidationAmount,                            // maxSell == collateral
        liquidateVars.dexData
    )
);
if (liquidateVars.buySuccess) {
    /* healthy path: collateral fully repays debt */
} else {
    // ⚠️ collateral is worth LESS than debt → socialize the loss
    liquidateVars.buyAmount = dexAgg.sell(borrowToken, collateralToken, liquidationAmount, 0, dexData);
    ...
    } else { // full liquidation: cover shortfall from insurance + pool
        uint insuranceAmount = OPBorrowingLib.shareToAmount(insuranceShare, ...);
        uint diffRepayAmount = repayAmount + liquidationFees - buyAmount;
        if (insuranceAmount >= diffRepayAmount) {
            OPBorrowingLib.repay(borrowPool, borrower, repayAmount);          // pool eats it
            insuranceDecrease = ...;
        } else {
            borrowPool.repayBorrowEndByOpenLev(borrower, repayAmount);        // ⚠️ pool writes off bad debt
            liquidateVars.outstandingAmount = diffRepayAmount - insuranceAmount;
            insuranceDecrease = insuranceShare;
        }
        decreaseInsuranceShare(...);                                          // insurance drained
    }
}

(contracts_OPBorrowing.sol:263-324)

The trace shows exactly this fall-through: buy reverts "sell amount not enough" (output.txt:609-610), then sell runs (:611-657), and repayBorrowEndByOpenLev writes off the position against the pool (:658-679).

3. The buy revert that flips the path#

buy reverts when the collateral can't cover the debt at current reserves:

sellAmount = getAmountIn(buyAmount.toAmountBeforeTax(buyTokenFeeRate), token0Reserves, token1Reserves, dexInfo.fees);
sellAmount = sellAmount.toAmountBeforeTax(sellTokenFeeRate);
require(sellAmount <= maxSellAmount, 'sell amount not enough');   // ⚠️ attacker forces this to fail

(contracts_dex_bsc_UniV2ClassDex.sol:90-92)

By manipulating the BUSDT/WBNB pool price (its borrow position is intentionally under-water), the attacker guarantees sellAmount > maxSellAmount, forcing the protocol onto the loss-socializing else path.

4. The liquidation permission is a 1-wei xOLE check#

require(xOLE.balanceOf(msg.sender) >= liquidationConf.liquidatorXOLEHeld, "XNE");

(contracts_OPBorrowing.sol:233)

The PoC satisfies it with xOLE.create_lock(1, …) — a 1-wei lock (OpenLeverage2_exp.sol:126-127), confirmed by the xOLE.balanceOf == 1 read in the trace (output.txt:554-557).

Root cause — why it was possible#

Three independent design weaknesses compose into a critical bug:

1. Untrusted DEX-aggregator callback in marginTrade. Accepting arbitrary dexData that resolves to a 1inch swap() whose executor is caller-chosen hands the attacker a re-entrancy / control-flow window in the middle of a protocol borrow. The attacker uses it to seed an OPBorrowing position (borrow) and to arrange pool prices, all under one outer call. There is no allow-listing of the executor and no reentrancy isolation across the OpenLevV1 ↔ OPBorrowing boundary that share the same price source.

2. Self-liquidation is permitted and economically rewarding. OPBorrowing.liquidate() does not forbid msg.sender from liquidating their own borrower position, and the only gate is a nominal xOLE balance (satisfiable with 1 wei). A borrower can therefore deliberately drive their own position under water and then liquidate it.

3. Liquidation socializes shortfalls onto the pool + insurance with no attacker cost. When buy fails (collateral < debt), the else branch sells the collateral and covers the gap from the market insurance fund and the lending pool via repayBorrowEndByOpenLev (:309-322). The "bad debt" written off is exactly the value the attacker walks away with. The liquidation penalty / collateralToBorrower transfer further pays the attacker (:336-340).

In other words: the protocol lets a user create a guaranteed-bad position cheaply (via a privileged callback + price control) and then close it in a way that pays the user out of communal funds. The checkLiquidable price guard (:584-604) uses a cAvgPrice/hAvgPrice-based TWAP, but the attacker satisfies it because the position genuinely is liquidatable at the moment of liquidation — that is the whole point.

Preconditions#

• A WBNB/BUSDT OPBorrowing market (market 24) with a non-empty insurance fund / lending pool to absorb bad debt.
• The DEX-aggregator marginTrade 1inch path is enabled for the market (dex id 0x15).
• Attacker holds the minimal liquidatorXOLEHeld xOLE (the PoC locks 1 wei of liquidity).
• Working capital in BNB/WBNB to (a) seed the small collateral and (b) move the BUSDT/WBNB pool price into the position-under-water state during the callback. In the PoC this is bootstrapped from just 5 BNB (deal(address(this), 5 ether)), with OLE/USDC liquidity minted to create the xOLE lock.

Step-by-step attack walkthrough#

OpenLevV1.marginTrade and OPBorrowing.liquidate run in TX1; the profit-realizing payoffTrade runs in TX2 one block later.

Profit / loss accounting#

The economic effect is a socialized bad-debt loss on the OPBorrowing market: the attacker creates a position whose collateral (1,000,000 wei BUSDT) is worthless relative to its 33.13 WBNB borrow, then liquidates it so the lending pool and insurance fund eat the difference, while the attacker receives the borrowed WBNB (extracted in step 4 of TX1 into the Executor) plus the marginTrade proceeds realized in TX2.

The single-position residual visible in this fork slice is small; the headline ~$234K reflects the attacker repeating the construct at scale across the market's insurance/pool reserves in the live two-transaction exploit. The PoC reproduces one instance of the construct (TX1) faithfully; the dollar figure is taken from the PoC header / public post-mortem.

Diagrams#

Sequence of the attack (TX1)#

Liquidation control flow (the bad-debt fork)#

OPBorrowing reserve / debt state evolution#

Live-trace — what actually happened on the fork#

Running forge test -vvvvv against a BSC archive fork at block 37,470,328:

• TX1 executes fully and faithfully: the marginTrade borrows 33.13 WBNB, the 1inch callback re-enters OPBorrowing.borrow(), and OPBorrowing.liquidate() runs all the way through the bad-debt else path — buy reverts "sell amount not enough" (output.txt:609-610), sell succeeds, and repayBorrowEndByOpenLev writes off the position (:658-679), ending with a Liquidate event and [Stop] (:714-722). The vulnerable code path is reproduced end-to-end.

• TX2 reverts with HI0: after vm.rollFork(37470331), OpenLevV1.payoffTrade(24, true) reverts on its first guard:

  SOLIDITYCopy

  require(trade.held != 0 && trade.lastBlockNum != block.number, "HI0");
  

  (contracts_OpenLevV1.sol:293)

  Why this is a test-harness artifact, not a refutation: vm.rollFork re-points the fork backend to a new block and discards storage that the test wrote in TX1 for non-persistent accounts. The PoC's trade was booked under the Foundry default test address 0x7FA9385bE102ac3EAc297483Dd6233D62b3e1496, which never traded on-chain. Verified with cast — OpenLevV1.activeTrades(0x7FA9…, 24, true) returns (0, 0, false, 0) at blocks 37,470,328 and 37,470,331:

  CODECopy

  cast call 0x6A75aC4b8d8E76d15502E69Be4cb6325422833B4 \
    "activeTrades(address,uint16,bool)(uint256,uint256,bool,uint128)" \
    0x7FA9385bE102ac3EAc297483Dd6233D62b3e1496 24 true --block 37470331
  => 0 / 0 / false / 0
  

  So after the roll, trade.held == 0 for the test address → HI0. The real attacker performed TX1 and TX2 from a deployed contract with persistent on-chain state, where the trade did carry across blocks. In a single Foundry test, vm.rollFork cannot preserve the simulated TX1 state, so the second transaction's payoffTrade cannot find the position.

Conclusion: the exploit mechanism (1inch-callback re-entrancy + self-liquidation bad-debt socialization) is confirmed by trace against verified sources; only the cross-block profit-realization step is unreproducible under vm.rollFork. Evidence tag: [POC-FAIL] (revert HI0) + [CODE-TRACE].

Remediation#

1. Do not execute untrusted callbacks inside marginTrade. Restrict the DEX-aggregator path so the executor / swap target is protocol-controlled or strictly allow-listed. Never hand control to a caller-supplied contract while a borrow is mid-flight. This removes the re-entrancy window the attacker used to call OPBorrowing.borrow().
2. Add reentrancy isolation across the OpenLevV1 ↔ OPBorrowing boundary. Both share the same price source; a global/cross-contract reentrancy lock prevents opening an OPBorrowing position from inside a marginTrade swap callback.
3. Forbid self-liquidation or make it non-profitable. Disallow msg.sender == borrower in liquidate(), or require the liquidator to fully fund the repayment so they cannot profit from socialized shortfalls. The current 1-wei liquidatorXOLEHeld gate is not a meaningful barrier.
4. Make bad-debt socialization safe. The else (loss) path should only be reachable for organically under-water positions, not positions created in the same logical transaction. Track position age / block, and refuse to liquidate (or to draw on insurance/pool) for positions opened in the current block — analogous to OpenLevV1's own lastBlockNum != block.number guard, which OPBorrowing's borrow/liquidate pair lacks.
5. Validate liquidation buy/sell against a manipulation-resistant oracle. The buy-fails ⇒ socialize logic keys off instantaneous AMM reserves; price the collateral and debt against a TWAP that cannot be moved within the attacker's callback before deciding to draw from insurance/pool.

How to reproduce#

The PoC was extracted into a standalone Foundry project (the umbrella DeFiHackLabs repo does not compile as a whole under forge test):

_shared/run_poc.sh 2024-04-OpenLeverage2_exp -vvvvv

• RPC: a BSC archive endpoint is required (fork block 37,470,328 is long pruned by public nodes). foundry.toml uses https://bsc-mainnet.public.blastapi.io, which serves historical state at this block. (https://bnb.api.onfinality.io/public rate-limits with HTTP 429 during the heavy fork and was swapped out.)
• Result: the test reverts with HI0 in TX2 (payoffTrade), as analyzed above. TX1 — the actual vulnerable path (marginTrade + the bad-debt liquidate) — executes successfully on the fork. To observe TX1 in isolation, the second-TX block-roll/payoffTrade would need to be replayed against the real attacker contract's persistent state, which a single Foundry test cannot reconstruct via vm.rollFork.

Expected tail:

[FAIL: HI0] testExploit() (gas: 2401266)
...
Encountered a total of 1 failing tests, 0 tests succeeded

References: PoC header (Total Lost ~234K); BlockSec explorer txs 0xf78a85eb…6d02d5 and 0x21007110…186067. Verified sources fetched via Etherscan V2 into sources/.

Sources & further analysis#

Reproductions & code

• Standalone PoC + full trace: 2024-04-OpenLeverage2_exp (evm-hack-registry mirror).
• Upstream DeFiHackLabs PoC: OpenLeverage2_exp.sol.

Alerts & third-party analyses

• DeFiHackLabs incident explorer: search "OpenLeverage (OPBorrowing) Exploit".
• Web3Sec X hacked database: search.
• Rekt leaderboard: search.
• Solodit incident search: search.

These dashboards index community alerts tweets, post-mortems, and independent write-ups. Reach them through the protocol name above to cross-check this reproduction against other analyses.