BabelFish Security Update — October

On October 4th, the BabelFish team was alerted to an exploit that occurred on the mainnet Sovryn protocol. The Sovryn developers had detected an unexpected difference between the loan token supply and the lending pool balance. At the time that BabelFish was alerted about the exploit, the Sovryn developers did not yet know the exact nature of the exploit. But they did see that the exploiter was using BabelFish to convert XUSD into stablecoins on BSC and Ethereum.

Out of an abundance of caution, in case the exploit was caused by one of the stablecoins that BabelFish and the lending protocol had in common, the Sovryn developers recommended to the BabelFish developers to pause the BabelFish contracts. The BabelFish developers acted on this recommendation and the BabelFish multisig was used to pause the BabelFish contracts so that none of their functions could be used.

After Sovryn developers learned the exact nature of the vulnerability and determined that BabelFish was not vulnerable, they told the BabelFish developers that they believed it was safe to unpause the BabelFish contracts. On October 7th, the BabelFish contracts were unpaused and the protocol has resumed normal operation since then.

Before unpausing the BabelFish contracts, the BabelFish developers took the opportunity to merge a precautionary protection against the cross-contract re-entrancy vulnerability that the exploiter used against Sovryn.

BabelFish developers also implemented, but did not yet activate, an emergency deposit pause feature that is designed to be activated by a special “keeper” node in response to stablecoin price anomalies that could indicate that a stablecoin is having a serious problem that should be guarded against. This emergency deposit pause feature has been under development for several months and was planned to be implemented this month. The exploit Sovryn experienced created an opportunity to deploy the code while the BabelFish contracts were paused for the Sovryn vulnerability investigation.

FISH stakers can now review a BIP draft for activating the emergency deposit pause feature here. After a two-week long public review, the BIP will be put to a vote. If the BIP is approved, then the emergency deposit pause feature will be activated.