TMX Tribe

The unverified contracts of TMXTribe were exploited by a series of attack transactions exploiting a vulnerability in the accounting logic. The root cause is that the AUM calculation (used to price TLP) ignores USDG liabilities, so USDG minting inflates AUM and enables high‑price redemptions.

The entry point of the attack is: Router.mintAndStakeGlp=>GlpManager.addLiquidityForAccount=>Vault.buyUSDG (https://app.blocksec.com/explorer/tx/arbitrum/0x0b8087dc9b6dfce217f9a9c70266373216a92f764b2d51bddaab1b1a6d8bffa8). The buyUSDG function increase both poolAmounts (assets) and usdgAmounts (liabilities).

The exploit hits on redeem (https://app.blocksec.com/explorer/tx/arbitrum/0x00eed3660badc8f02855d6cf5b8e2fbb521a1208752745e1419077c42e948a0f): Router.unstakeAndRedeemGlp=>GlpManager.removeLiquidityForAccount=>_removeLiquidity (0x1d0f), where the USDG to transfer into the vault is computed from 0x11df=>0x621. Function 0x621 loops all whitelisted tokens, picks min/max price, aggregates asset value using poolAmounts/guaranteedUsd/reservedAmounts/globalShortSizes/shortPnL, and applies _aumAddition/_aumDeduction, but never subtracts vault.usdgAmounts(token), so USDG liabilities are ignored.

Since USDG is redeemable debt, AUM must be net equity (assets − liabilities). Ignoring liabilities inflates AUM, overstates the GLP/TLP price, and makes the computed USDG redemption amount too large.

As a result, sellUSDG pays out more tokens than it should. The attack loop was repeated many times and gained approximately $1.4 M profit.

Related URLs:

Buy Tx: https://app.blocksec.com/explorer/tx/arbitrum/0x0b8087dc9b6dfce217f9a9c70266373216a92f764b2d51bddaab1b1a6d8bffa8

Sell Tx: https://app.blocksec.com/explorer/tx/arbitrum/0x00eed3660badc8f02855d6cf5b8e2fbb521a1208752745e1419077c42e948a0f

Vault Contract: https://app.dedaub.com/arbitrum/address/0x7f68594c7e9919c88e88fcd00b7f786cd6f45804/decompiled

GlpManager Contract: https://app.dedaub.com/arbitrum/address/0x2141dc7e3a50d177cdeadfb59fa50ffb17cd43d7/decompiled

In Comments

Numerical Information for a pair of buy&sell:

Buy tx 0x0b8087dc9b6dfce217f9a9c70266373216a92f764b2d51bddaab1b1a6d8bffa8 shows the relative price of TLP to USDG is 260,651.636314 (USDG minted) / 425,809.239621(TLP gained) = 0.612132 USDG

In sell tx 0x00eed3660badc8f02855d6cf5b8e2fbb521a1208752745e1419077c42e948a0f this indicator becomes 342,864.119043 (USDG burned) / 425,809.239621 (TLP) = 0.805206 USDG

The price increases approximately 31.5%.