CIP-Draft: Slashing of the GlueX solver

harisang · November 21, 2024, 10:28pm

CIP: <to be assigned when moved to phase 2>
title: Slashing of the GlueX Solver
author: Chris (c3rnst), Haris Angelidakis
status: active
created: 2024-11-22

Simple summary

This CIP proposes the slashing of the CoW DAO bonding pool, which has vouched for the GlueX solver, as GlueX was involved in an incident on November 7, 2024 that resulted in a financial loss of $76,783 USD (equivalent) for the settlement contract.

No user funds were at risk, and no user allowances needed or need to be revoked. The GlueX solver has already refunded the bonding pool, and is operational again. The slashing is a procedural step to transfer the funds from CoW DAO’s bonding pool to the settlement contract.

Background

The incident occurred due to a vulnerability in the GlueX solver’s deployment. Specifically, an allowance set on a flawed smart contract enabled malicious actors to drain funds from CoW DAO’s settlement contract. It is essential to clarify that the settlement contract never stores user funds; it only temporarily holds (a) Network (gas) fees and (b) Protocol fees collected by solvers

These funds are regularly withdrawn (recently changed to daily withdrawals) and used for solver payouts and fee distribution.

Incident Summary

Deployment of Vulnerable Contract: GlueX deployed a new settlement handler contract to execute winning solutions and set allowances for several tokens (WETH, USDC, wstETH, and four others) from CoW DAO’s settlement contract (transaction link to first bad approval set).
Exploit Identified: A bug in the contract allowed unauthorized interactions, enabling MEV bots to withdraw buffer balances from the settlement contract (in 67 transactions); the majority of the damage was done in the first 5 minutes (first malicious transaction link).
Immediate Response:
- Internal alert systems detected the issue promptly (1 minute to acknowledge, 38 minutes to recover)
- The GlueX solver was deny-listed, and the allowances were revoked, mitigating further harm (tx here).
Reimbursement and Resolution:
- GlueX reimbursed the bonding pool in full on November 8, 2024 (see transaction link).
- The solver was later allow-listed after demonstrating accountability and addressing the issue.

Harm caused

The exploit caused $76,783 USD in financial losses to CoW DAO’s protocol funds - refer to this public Dune query on the calculation. These funds were protocol-owned and unrelated to user assets. Note that for future, considerations shall be done to slash a higher amount than the mere damages to take into account stress and work caused; however, as there is no basis for this and as this was an accident, no further slashing or reimbursement is proposed.

Attack vector

This incident highlights a known risk with improperly managed allowances, as previously discussed in CIP-22 (Barter solver slashing). While no malicious intent was detected, this case reinforces the need for solvers to ensure allowances do not expose the settlement contract to vulnerabilities.

Responsibility for preventing such risks lies with solvers. In cases where financial loss occurs, it is the solver’s duty to provide remediation, as GlueX has done in this instance. Technical discussions are ongoing (cf. Forum discussion) to address mitigation strategies for this attack vector.

Communication

The core team acted swiftly:

Revoking allowances and banning the GlueX solver.
Informing solvers while withholding public disclosure to avoid exacerbating the vulnerability.

The incident was noted by the MEVRefund X account, prompting GlueX Protocol to publicly acknowledge the issue and confirm reimbursement.

Public statement by GlueX Protocol (November 7, 2024):

“Exploit came via a contract deployed to support the execution of swaps with Uniswap V3-type DEXs. We are to blame here. Allowances to the exploited contract have been revoked. Exploited fees will be fully refunded.”

Future Processes

To streamline bonding pool operations and improve transparency, the following improvements are proposed:

Direct Solver Reimbursement: If the solver cooperates, reimbursements should occur directly to the settlement contract, eliminating the need for slashing procedures (going via a separate forum section).
Procedure Development: The core team shall draft a CIP addressing: Deny- and allow-listing rules, reimbursement simplifications, slashing mechanisms, calculation of harm and additional costs and bond management processes.
Mandate: Pending formalization of these processes, the core team shall continue to act on behalf of CoW DAO in managing solver lists in the protocol’s best interest.

Proposed Transaction

Transfer $76,783 USD from the CoW DAO bonding pool (0x5d4020b9261f01b6f8a45db929704b0ad6f5e9e6) to the CoW DAO rewards Safe at (0xA03be496e67Ec29bC62F01a428683D7F9c204930) (NOTE: this skips the settlement contract to go directly to CoW DAO’s withdraw address)

Transactions will be executed on CoW DAO’s Safe using the oSnap plugin, contingent upon successful passing of this CIP. When voting on Snapshot, participants are encouraged to verify the content, cross-check Tenderly simulations, and confirm alignment with the CIP’s intent.

Topic		Replies	Views
CIP-22: Slashing of the Barter Solver (responsible for a hack causing CoW DAO a loss of 1 week fee accrual) Closed Proposals cip , proposal , successful	5	2610	February 10, 2023
Settlement Contract Buffers Technical	3	101	November 14, 2024
CIP-7: Allowing External Solvers Closed Proposals cip , proposal , successful	12	2124	May 5, 2022
CIP-48: Solver rewards budget renewal and update of CoW DAO bonding pool operations Closed Proposals cip , successful	1	167	July 17, 2024
CIP-26: Solver bond funds switch Closed Proposals cip , proposal , successful	1	942	June 12, 2023