Analysis of the YIEDL Security Breach

4 min readApr 25, 2024



On April 24, 2024, according to intelligence from the SlowMist Security Team, the YIEDL project on the BSC chain was attacked, with the attacker stealing approximately $300,000. We conducted an analysis of the attack and these were our findings:


Related Information

Attacker’s Address: 0x322696471792440499b1979e0a440491e870667a

Contract Address Being Attacked: 0x4edda16ab4f4cc46b160abc42763ba63885862a4

Some of the Attack Transactions:











Cause of Attack

In this incident, the reason lies in the contract’s failure to adequately validate the external parameter(dataList) provided by the user during the processing of the redeem function call. This parameter is critical data for controlling asset exchanges, typically containing specific transaction instructions or routing information. The attacker maliciously constructed this external parameter, enabling unauthorized asset transfers.

Transaction Analysis

The attacker repeatedly invoked the redeem function with a redemption quantity of 0 assets. This action may seem harmless since a redemption quantity of zero typically doesn’t trigger any actual fund movement.

However, delving into the redeem function reveals that it traverses the list of assets allowed by the contract. When the current asset is not the one the user wishes to receive, it parses the dataList parameter and makes an external call to the corresponding function in the 1inch Router contract to execute the asset exchange operation.

Due to the unchecked and unverified nature of the dataList parameter, the attacker was able to construct malicious values to execute the unoswapTo function in the 1inch Router contract for arbitrary and controllable token exchanges.

As a result, WBNB-ADA tokens within the Yiedl BULL contract were exchanged for BNB to the attacker’s address.

In this manner, the attacker, without actually owning any redemption shares, triggered token exchange operations controlled by the dataList parameter. By repeatedly mobilizing contract funds without consuming their own assets, the attacker profited and exited.


The core of this attack lies in the failure to adequately validate the dataList parameter, allowing attackers to manipulate external data and drain tokens from the contract using 1inch. The SlowMist Security Team recommends project teams implement rigorous parameter validation mechanisms during development, especially concerning asset operations within contracts. When it comes to the operation of funds in a contract, it is important to ensure that all external calls conform to expected behavioral norms and conduct thorough security audits of contract logic to avoid the recurrence of similar incidents.

About SlowMist

At SlowMist, we pride ourselves on being a frontrunner in blockchain security, dedicating years to mastering threat intelligence. Our expertise is grounded in providing comprehensive security audits and advanced anti-money laundering tracking to a diverse clientele. We’ve established a robust network for threat intelligence collaboration, positioning ourselves as a key player in the global blockchain security landscape. We offer tailor-made security solutions that span from identifying threats to implementing effective defense mechanisms. This holistic approach has garnered the trust of numerous leading and recognized projects worldwide, including names like Huobi, OKX, Binance, imToken,, Amber Group, Klaytn, EOS, 1inch, PancakeSwap, TUSD, Alpaca Finance, MultiChain, and Cheers UP. Our mission is to ensure the blockchain ecosystem is not only innovative but also secure and reliable.

We offers a variety of services that include but are not limited to security audits, threat intelligence, defense deployment, security consultants, and other security-related services. We also offer AML (Anti-money laundering) solutions, Vulpush (Vulnerability monitoring) , SlowMist Hacked (Crypto hack archives), FireWall.x (Smart contract firewall) , Safe Staking and other SaaS products. We have partnerships with domestic and international firms such as Akamai, BitDefender, FireEye, RC², TianJi Partners, IPIP, etc.

By delivering a comprehensive security solution customized to individual projects, we can identify risks and prevent them from occurring. Our team was able to find and publish several high-risk blockchain security flaws. By doing so, we wish to help spread awareness and raise the security standards in the blockchain ecosystem.

💬Website 🐦Twitter ⌨️GitHub




SlowMist is a Blockchain security firm established in 2018, providing services such as security audits, security consultants, red teaming, and more.