According to the intelligence of the SlowMist Zone, on September 12, 2021, the Zabu Finance project on Avalanche suffered flashloan attack.
- The attacker first created two attack contracts, then swapped WAVAX into SPORE tokens through attack contract 1 in Pangolin, and deposited the obtained SPORE tokens to ZABUFarm contract, to prepare for the subsequent acquisition of ZABU token rewards.
- The attacker borrowed SPORE tokens from Pangolin flashloan by attack contract 2, and then began to use SPORE tokens to conduct `deposit/withdraw` operations in the ZABUFarm contract. Since SPORE tokens need to charge a certain fee during the transfer process (in the SPORE contract), the amount of SPORE tokens actually received by the ZABUFarm contract is less than the amount of staking passed in by the attacker. However, we noticed that the ZABUFarm contract directly recorded the number of staking that user received, instead of recording the actual number of tokens received by the contract, but the ZABUFarm contract allowed the user to withdraw all the staking recorded by the contract when the user took out the staking quantity. This results in the fact that the amount of SPORE tokens actually received by the attacker in the ZABUFarm contract when staking is less than the amount of tokens transferred out of the ZABUFarm contract to the attacker when the attacker withdraws.
- The attacker took advantage of the accounting defect caused by the compatibility between the ZABUFarm contract and the SPORE token, and continuously consumed the SPORE funds in the ZABUFarm contract to a very low value through the `deposit/withdraw` operation. The staking reward of the ZABUFarm contract is calculated by dividing the accumulated block rewards into the total amount of SPORE tokens staking in the contract. Therefore, when the total amount of SPORE tokens in the ZABUFarm contract is reduced to a very low value, it will undoubtedly be calculated a great reward value.
- The attacker obtained a large amount of ZABU token rewards through the previously secured attack contract 1 in ZABUFarm, and then sold ZABU tokens.
The attack was caused by the incompatibility between Zabu Finance’s staking model and SPORE tokens. There have been many attacks caused by such issues. The SlowMist security team recommends that the project staking model should record the actual token changes in the contract before and after the transfer when the project staking model is connected to the deflationary token, instead of relying on the number of staking tokens passed in by the user.
Attack contract 1: 0x0e65Fb2c02C72E9a2e32Cc42837df7E46219F400
Attack contract 2: 0x5c9AD7b877F06e751Ee006A3F27546757BBE53Dd