Superfluid Postmortem

Superfluid Exploit Analysis

Overview

On February 8, 2022, the Superfluid protocol suffered a $8.7M attack that drained funds from multiple partner projects through malicious token transfers.

What Happened

An attacker exploited Superfluid's context serialization mechanism to drain assets from several protocols using the platform:

• 19.4M QI (Mai Finance) - sold for ~$6.2M

• 1.5M MOCA (Museum of Crypto Art) - 1M sold for ~$500K

• 45k SDT (Stake DAO) - ~$54K

• 24k STACK (Stacker Ventures) - ~$19K

• 24.4 WETH - ~$76K

• 563k USDC - converted to 173 WETH

• 39k sdam3CRV - ~$44K equivalent

• 11k MATIC - unsold

QI token dropped ~80% initially, recovering to 62% of pre-hack value.

Technical Root Cause

The vulnerability existed in how Superfluid's host contract managed serialized context ("ctx") objects across agreement calls. As noted in the post-mortem: "The attacker was able to skillfully craft the calldata such that serialization and de-serialization resulted in agreement contracts operating on forged context to impersonate accounts."

The core issue: ABI decoders accepted the first injected ctx variant while ignoring the legitimate one, allowing attackers to perform operations as other users.

Attack Vector

1. Crafted calldata injection - attacker created malicious function calls containing a fake ctx

2. Context impersonation - the injected ctx contained arbitrary sender information

3. IDA exploitation - used Instant Distribution Agreement (IDA) indexes to drain tokens from legitimate account holders

4. Token conversion - converted stolen assets to WETH and other liquid tokens via Uniswap

Attacker address: 0x1574f7f4c9d3aca2ebce918e5d19d18ae853c090

Exploit transaction: 0xdee86cae2e1bab16496a49b2ec61aae0472a7ccf06f79744d42473e96edd6af6

Remediation

Superfluid patched the vulnerability within 6 hours with assistance from security researcher Mudit Gupta. The fix added verification via ISuperfluid.isCtxValid to validate decoded context by comparing hash stamps stored in the host contract—closing the gap where SuperApp callbacks lacked this protection.

Patch: GitHub commit 4048fbc — https://github.com/superfluid-finance/protocol-monorepo/commit/4048fbc66c144e1afd5ae68b21160e1b25d96270

Outcome

• Superfluid offered a $1M bounty for fund recovery

• Most affected accounts were refunded gradually

• Stolen funds remained in attacker's wallet as of publication

• Ranked #42 on REKT's exploit leaderboard; no user funds were directly lost