Background
On April 24, 2024, according to intelligence from the SlowMist Security Team, the YIEDL project on the BSC chain was attacked, with the attacker stealing approximately $300,000. We conducted an analysis of the attack and these were our findings:
Related Information
Attacker’s Address: 0x322696471792440499b1979e0a440491e870667a
Contract Address Being Attacked: 0x4edda16ab4f4cc46b160abc42763ba63885862a4
Some of the Attack Transactions:
0x49ca5e188c538b4f2efb45552f13309cc0dd1f3592eee54decfc9da54620c2ec
0x3629ad588ac120163792e92b6c43bd4bdc5bf35cac66eb7f3a0267df93abc849
0x0a89b8670c40b4067b9522a5933c3bf8c44c968103aa642b04c65d49ad9e6457
0x5e468cba495e5f6165418fb9d87d824309c54261055425f33f588dd3b3abbcea
0x8710034dadecfc8c26f651c612f613fffdece6e2f9957b9ec8ab843218168c1d
0x9da398ed274c8cfa774b36003fa8c930d3430d0fc5889b5008830fd6463f68a9
0x2e3d4332f66a334e0170187011ed673dc222f95bf4443b618e08f8052437ef7a
0x5a15fdc57c35f2305aaa0bb95b109ad412b17406d737d137190fe5867393339d
0x8ef3765665cd849cdf9132ab37caf6aa0f891e1f7d9f418f86a6ab6ea38b6f5b
0xa9fa04b033afbed2218679aea92e9429a5f7839d0b4c65358ebf9ba20efcd021
Cause of Attack
In this incident, the reason lies in the contract’s failure to adequately validate the external parameter(dataList) provided by the user during the processing of the redeem function call. This parameter is critical data for controlling asset exchanges, typically containing specific transaction instructions or routing information. The attacker maliciously constructed this external parameter, enabling unauthorized asset transfers.
Transaction Analysis
The attacker repeatedly invoked the redeem function with a redemption quantity of 0 assets. This action may seem harmless since a redemption quantity of zero typically doesn’t trigger any actual fund movement.
However, delving into the redeem function reveals that it traverses the list of assets allowed by the contract. When the current asset is not the one the user wishes to receive, it parses the dataList parameter and makes an external call to the corresponding function in the 1inch Router contract to execute the asset exchange operation.
Due to the unchecked and unverified nature of the dataList parameter, the attacker was able to construct malicious values to execute the unoswapTo function in the 1inch Router contract for arbitrary and controllable token exchanges.
As a result, WBNB-ADA tokens within the Yiedl BULL contract were exchanged for BNB to the attacker’s address.
In this manner, the attacker, without actually owning any redemption shares, triggered token exchange operations controlled by the dataList parameter. By repeatedly mobilizing contract funds without consuming their own assets, the attacker profited and exited.
Conclusion
The core of this attack lies in the failure to adequately validate the dataList parameter, allowing attackers to manipulate external data and drain tokens from the contract using 1inch. The SlowMist Security Team recommends project teams implement rigorous parameter validation mechanisms during development, especially concerning asset operations within contracts. When it comes to the operation of funds in a contract, it is important to ensure that all external calls conform to expected behavioral norms and conduct thorough security audits of contract logic to avoid the recurrence of similar incidents.
About SlowMist
At SlowMist, we pride ourselves on being a frontrunner in blockchain security, dedicating years to mastering threat intelligence. Our expertise is grounded in providing comprehensive security audits and advanced anti-money laundering tracking to a diverse clientele. We’ve established a robust network for threat intelligence collaboration, positioning ourselves as a key player in the global blockchain security landscape. We offer tailor-made security solutions that span from identifying threats to implementing effective defense mechanisms. This holistic approach has garnered the trust of numerous leading and recognized projects worldwide, including names like Huobi, OKX, Binance, imToken, Crypto.com, Amber Group, Klaytn, EOS, 1inch, PancakeSwap, TUSD, Alpaca Finance, MultiChain, and Cheers UP. Our mission is to ensure the blockchain ecosystem is not only innovative but also secure and reliable.
We offers a variety of services that include but are not limited to security audits, threat intelligence, defense deployment, security consultants, and other security-related services. We also offer AML (Anti-money laundering) solutions, Vulpush (Vulnerability monitoring) , SlowMist Hacked (Crypto hack archives), FireWall.x (Smart contract firewall) , Safe Staking and other SaaS products. We have partnerships with domestic and international firms such as Akamai, BitDefender, FireEye, RC², TianJi Partners, IPIP, etc.
By delivering a comprehensive security solution customized to individual projects, we can identify risks and prevent them from occurring. Our team was able to find and publish several high-risk blockchain security flaws. By doing so, we wish to help spread awareness and raise the security standards in the blockchain ecosystem.