Critical Bug Payout Report

Notional received a critical bug report from a whitehat hacker last night. The Notional team disabled the affected code in under an hour after it was reported. No user funds have been lost, and none are at risk. No user-facing functionality is affected. Users can continue to use Notional to lend and borrow at fixed rates safely. We have created a fix for this issue, and will deploy the change once our auditors have reviewed and confirmed it. Notional Finance Incorporated will pay the full $1 million bounty listed through Immunefi + a bonus of 100,000 NOTE.

Security remains our highest priority and we will continue to offer the top prize of $1 million via Immunefi for critical issues found. We submitted our code for audit by three independent audit firms. The affected code was present in all three of these audits. We also submitted our code for formal verification. The affected code was subject to a formal verification check explicitly designed to detect this particular vulnerability, but due to human error the check was not properly constructed and did not function as intended. Certora will issue a report detailing why that check did not work as intended in the coming days.

We are confident in our approach in investing in all potential safeguards and we will continue to employ multiple levels of audits, formal verifications and bug bounty programs for future updates.

Background

The affected method is called enableBitmapCurrency. This method is not accessible via the Notional UI and must be called directly. It is currently disabled and will revert if called. The method enables an account to utilize a different portfolio structure than normal. The vast majority of users would never require this account type, it is primarily used in the case of market making idiosyncratic fCash assets. This is a feature of the system that has yet to be used in production. Currently, only four accounts on the Notional system have called this method and they are all controlled by the Notional team. None of these accounts can be used to exploit the system because the affected method is currently disabled.

An attack on this method could have occurred as follows:

1. An attacker would first enable their bitmap currency on their account, eg. ETH.
2. They would then deposit a second currency into their account, eg. DAI.
3. At this point, the system would recognize that a free collateral check would need to inspect both ETH and DAI assets and balances (at this point everything is working properly).
4. They would then call enableBitmapForAccount a second time, switching their bitmap currency to DAI. Due to a logic error in the smart contract code, this would result in the system believing that it would have to check DAI twice in free collateral, effectively doubling the DAI collateral believed to be present in the account.
5. At this point the attacker could borrow in significant amounts without sufficient collateral, giving them the ability to drain funds.

We remain committed to the security of the Notional protocol as we continue the work of building the most capital-efficient fixed rate borrowing and lending protocol on Ethereum.

The Notional Team