SlowMist: An Analysis of the Attack on the VTF Token (Released in 2022)
On October 27, 2022, according to the SlowMist security team, both the Victor the Fortune (VTF) token and the V8 protocol (V8) token had serious vulnerabilities and were attacked. The attackers made about $58,000 and $53,000 in profit, respectively. The SlowMist Security Team intervened and analyzed the situation promptly. Since the two tokens were attacked in the same way, this article only analyzed the attack event of VTF tokens and shared the results as follows:
Related Information
Victor the Fortune (VTF) is an ERC 20 token on the BSC chain. The following are the main addresses involved in this attack:
VTF Token Address:
https://bscscan.com/address/0xc6548caF18e20F88cC437a52B6D388b0D54d830D
Attacker Address: https://bscscan.com/address/0x57c112cf4f1e4e381158735b12aaf8384b60e1ce
Primary Attack Contract Address:
https://bscscan.com/address/0x450595e4a42cc08c14091b08dbab654a68b0a877
Attack Transactions:
https://bscscan.com/tx/0x74c63833219e751a38908860b9092b4acda3fb10fecefed3c480f7f85a346742
https://bscscan.com/tx/0xeeaf7e9662a7488ea724223c5156e209b630cdc21c961b85868fe45b64d9b086
Attack Core
In the VTF contract, it rewards token holders with dividends, the amount of which is determined by the time difference between the two dividends and the current balance of tokens held in the account. Therefore, the attacker can use the flash loans to enlarge the balance of tokens held when requesting a dividend in order to get additional bonus tokens.
Analysis of Specific Details
1. In transaction 0x74c63833, we can see that the attacker started creating the contracts needed for the attack two days before the attack was launched, a total of 400 contracts, and called the updateUserBalance function one by one to set the userBalanceTime value of these contracts to the timestamp of two days ago:
2. Two days later, the attacker launched a formal attack 0xeeaf7e96. The attacker first borrowed a large amount of USDT through a flash loan, then converted the USDT into VTF tokens through pancake and called the updateUserBalance function of the VTF token contract to receive a bonus:
3. The attacker transferred VTF tokens to the attack contract 0x1dD557 generated in the first step and then swapped part of the VTF tokens back to USDT to add liquidity to the pool:
4. Next, the attacker called the updateUserBalance function of the VTF token contract to distribute a bonus for the attack contract 0x1dD557. Since the formal attack was two days away from the first transaction ready to attack, the userBalanceTime had a two-day difference with the current timestamp and would not be 0, thus passing the check and calculating the value of the reward as The result of multiplying the balance of VTF tokens in the account with the time difference, thus successfully obtaining the bonus rewards:
5. Then the attacker transferred all the VTF tokens to the next attack contract, continued to call the updateUserBalance function to get bonus rewards, looped the process until all the attack contracts were awarded bonuses and continued to accumulate VTF tokens. The last contract transferred all the VTF pool back to the main attack contract 0x450595e4:
6. Finally, the attacker converted the VTF tokens back into USDT through pancake’s pool for a profit:
Summary
This attack was due to the simple design of the economic model of the whole token. The reward bonus of token holding only depended on the time difference value of userBalanceTime and the balance of tokens held for calculation, which led the attacker to use the creation of multiple contracts and flash loans to accumulate more tokens. The SlowMist Security Team recommends that the balance between token liquidity and security should be fully considered when designing the token bonus model.
About SlowMist
SlowMist is a blockchain security firm established in January 2018. The firm was started by a team with over ten years of network security experience to become a global force. Our goal is to make the blockchain ecosystem as secure as possible for everyone. We are now a renowned international blockchain security firm that has worked on various well-known projects such as Huobi, OKX, Binance, imToken, Crypto.com, Amber Group, Klaytn, EOS, 1inch, PancakeSwap, TUSD, Alpaca Finance, MultiChain, O3Swap, etc.
Website:
https://www.slowmist.com
Twitter:
https://twitter.com/SlowMist_Team
Github:
https://github.com/slowmist/
