Saddle Case Update

Dear InsurAce Community, here is an update regarding the recent Saddle Finance exploit. Please reach out to us on our Telegram or Discord if there are further inquiries.  

On April 30th 2022, an attacker exploited the same vulnerability in the Nerve Bridge Incident to attack the Saddle Finance. The root cause of the vulnerability for the two incidents is the same which is due to the flawed calculation implemented in the swap function in MetaSwapUtils library.  

This vulnerability in the MetaSwapUtils library for metapools had been previously identified and disclosed in Nov 2021. After that, Saddle team fixed the vulnerability and re-deployed the new version V2 of the MetaSwapUtils library immediately. However, the team failed to deploy this new updated library to three pool sUSD Meta V2, tBTC Meta V2, and wCUSD Meta V2. As a result, the same vulnerability was successfully exploited by an attacker once again on April 30th. 

Reference: How to exploit the same vulnerability of MetaPool in two different ways (Nerve Bridge / Saddle Finance) 

Advisory Board Reference

By reviewing our smart contract cover T&C, this event is non-coverable as stated in Clause#7 under “Exclusions”: Smart Contract Cover will not pay for any hacks or pre-defined insured events occurring during the Cover Period but the hack occurred or is known, or the hack is due to the bug being disclosed to the public, before the Cover Period.  

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top