Background
On March 14, 2024, according to intelligence from the SlowMist Security Team, the IT token on the Binance Smart Chain (BSC) was compromised, resulting in an approximate loss of $15,200. The SlowMist Security Team has conducted a thorough analysis of this attack and shares their findings as follows:
Related Information
Attacker’s Address:
- 0xB495573Cd2246e7cc7D6d2B37d779463295e5ab0
Attack Contract Address:
- 0x9A2287E3122441F9657bB01b5f8c3cAbB3F4C6f2
Attack Transactions:
- 0xdd2c446bbc98acb6649f949108536438c1d2bdd728955b4166d0efcde81c55aa
2.
- 0x0c8e64ed42c360b5bbc1ac9cf31c3d6fd66f0f2ab014ef3df00220b3846963af
3.
- 0x5e7ecbef2cab00144f427fe167c854710df1373853c43f268827b88ad845f976
4.
- 0x6a951db7d919a0ac4e3085c88d341475542ba83628585eb808f6b9e5b668bb52
5.
- 0xb33057f57ce451aa8cbb65508d298fe3c627509cc64a394736dace2671b6dcfa`
Attack Method:
The attacker exploited a feature in the IT token’s transfer function, which would issue additional tokens to the pool based on the amount of tokens swapped. This allowed the attacker to gradually increase the reserve of IT tokens in the pool, thereby manipulating the price. The attacker repeatedly swapped IT tokens for BSC-USD in the pool to profit.
Transaction Analysis:
1. The attacker first took out a flash loan of 2000 BSC-USD to the attack contract.
2. Then, the attacker used 100 BSC-USD from this loan to perform three consecutive transfer-swap operations in a PancakeSwap pool (address: 0xcfbb39).
During the swap operations within the PancakeSwap pair (referred to as 0x7265_PancakePair), the attacker would transfer a specified amount of IT and BSC-USD tokens to the attack contract (address: 0xcfbb39). Following the logic within the IT token’s transfer function, when IT tokens were transferred out of the 0x7265_PancakePair, it would trigger the mintToPoolIfNeeded function, which mints additional tokens to the pool.
However, the quantity of minted tokens was calculated based on the amount of tokens transferred and the reserve of tokens in the pool. This mechanism resulted in an increase in the reserve of IT tokens within the pool with each borrowing transaction, while the value of tokenUsdtRate continually decreased. Consequently, the value of tokenMinReserveAfterBuy would consistently rise. Ultimately, this led to the creation of more IT tokens in the pool. By manipulating this mechanism, the attacker was able to control the price of the tokens during each swap, enabling them to use a fixed 100 BSC-USD to extract BSC-USD tokens from the pool.
3. After repeating the operation three times as described, the attacker managed to extract an additional 208 BSC-USD from the pool. With these profits, the attacker then swapped for a large amount of their own created tokens (address: 0x7c82a1) in the 0xcaba_PancakePair pool, thus inflating the price.
4. Using the same method, the attacker repeated the attack four more times. After all attacks were completed, they crashed the market by dumping the worthless tokens (address: 0x7c82a1) they had created, profiting from the BSC-USD extracted in the process.
This strategy of using the profits from attack transactions to inflate the price of worthless tokens, followed by a market crash to convert back the profits, obscures the flow of funds within the attack transactions. Moreover, since the worthless tokens were created by the attacker, their transfer function does not emit events, creating an illusion of non-profit for the attacker when viewed through most on-chain analysis tools.
Summary
The essence of this attack lies in the fact that each time IT tokens were transferred out of the pool, it led to the minting of more tokens within the pool, allowing the token prices to be manipulated. The SlowMist Security Team advises project developers to consider the direct impact of changes in pool reserves on token prices when designing their token models, to avoid situations where token transfers significantly disrupt pool balance.
About SlowMist
At SlowMist, we pride ourselves on being a frontrunner in blockchain security, dedicating years to mastering threat intelligence. Our expertise is grounded in providing comprehensive security audits and advanced anti-money laundering tracking to a diverse clientele. We’ve established a robust network for threat intelligence collaboration, positioning ourselves as a key player in the global blockchain security landscape. We offer tailor-made security solutions that span from identifying threats to implementing effective defense mechanisms. This holistic approach has garnered the trust of numerous leading and recognized projects worldwide, including names like Huobi, OKX, Binance, imToken, Crypto.com, Amber Group, Klaytn, EOS, 1inch, PancakeSwap, TUSD, Alpaca Finance, MultiChain, and Cheers UP. Our mission is to ensure the blockchain ecosystem is not only innovative but also secure and reliable.
We offers a variety of services that include but are not limited to security audits, threat intelligence, defense deployment, security consultants, and other security-related services. We also offer AML (Anti-money laundering) solutions, Vulpush (Vulnerability monitoring) , SlowMist Hacked (Crypto hack archives), FireWall.x (Smart contract firewall) , Safe Staking and other SaaS products. We have partnerships with domestic and international firms such as Akamai, BitDefender, FireEye, RC², TianJi Partners, IPIP, etc.
By delivering a comprehensive security solution customized to individual projects, we can identify risks and prevent them from occurring. Our team was able to find and publish several high-risk blockchain security flaws. By doing so, we wish to help spread awareness and raise the security standards in the blockchain ecosystem.