Loss: 4084 KP3R were minted to the attacker, valued at $211k at the moment.

TLDR;

1. An attacker managed to get a hold of a whitelisted Keep3r v1 job governance since it was a vanity address.
2. The attacker added liquidity to the job and waited a few days.
3. The attacker made a flashloan from Balancer and manipulated the Sushi LP pool; then he called the applyCreditsToJob function, which calculates how many credits the job deserves for the amount of liquidity. Because of the manipulation, instead of getting 537.89 KP3R credits in the job, he got 4084.27.
4. The attacker worked the job a ton until he managed to drain the credits and keep them to himself.

Timeline of events

June 2nd, 2023

1. An attacker got hold of the governor of a whitelisted job in Keep3rNetwork v1. The job was from Yearn (0xeE15010105b9BB564CFDfdc5cee676485092AEDd), and the governor address (0x0000000031669Ab4083265E0850030fa8dEc8daf) was generated via Profanity, making it vulnerable.
2. On block 17393117 the attacker added 65.17 Sushiswap LP (~$77k) as liquidity to the job CrvStrategyKeep3rJob2 (https://etherscan.io/tx/0x06d9bcbf2efa3ec45989e366696619a0bd12c0ae937c716604c8b4973bb60c22). This liquidity has a 3-day bonding period, which then allows the liquidity owner to mint KP3R credits.

June 12th, 2023

1. On block 17461526 the attacker got hold of the governance of the job and changed it. (https://etherscan.io/tx/0x3224352fdf15463c0062c66feae5a3698bffddd58d0eb28c9ba07aba9eaa7c1e)
2. The attacker made a flashloan from Balancer and manipulated the Sushi LP pool (drgorilla tweeted about the details). Then he called the applyCreditsToJob function which calculates how many credits does the job deserve for the amount of liquidity it has. Because of the manipulation, instead of getting 537.89 KP3R credits in the job, he got 4084.27.
3. The attacker created his own fake strategy and worked it until the job credits were completely drained, paying himself through the receipt function in Keep3r v1, which allows the job to pay KP3R credits to the keeper without an unbonding period.
4. The attacker started the process of withdrawing his liquidity from the job. There is a 14 days unbonding period, but there is no way to slash the liquidity.

Unbonding txs: https://etherscan.io/tx/0xba61f1f8d7e826007979c960295e75e0439e7619b6f57f21661ba562eb3cc8b9 https://etherscan.io/tx/0x906553619e660c9548896d08f4af360b33ff315b976db64116a688e291f8a02a

Aftermath

Losses

• The attacker minted 4084 KP3R to himself, valued at $211k at the moment.
• The attacker holds the governance of 3 yearn jobs. Nevertheless, these jobs were already not active.