A brief analysis of the hacking of BSC on-chain project PancakeHunny

PancakeHunny hacking incident is another hacking incident of the imitation pan project on BSC chain, which is worth to raise alarm.

(I) Overview of the incident
At 11:11 p.m. Beijing time on June 3, the monitoring of public opinion by Beosin-Eagle Eye, the security situational awareness platform of the chain, showed that PancakeHunny, a project on the BSC chain, had been hacked. According to statistics, the hackers made a total profit of 43ETH (more than USD 100,000 in total) in this attack.

In the face of another hacked project on the BSC chain, the Chengdu Chain Security Team immediately launched a security emergency response to track and analyze the hacking of PancakeHunny to remind all major projects on the BSC chain to effectively raise security awareness and be vigilant of the continuing cloud of “Black May”.

It is understood that PancakeHunny is another imitation disk project of PancakeBunny. In this hacking incident, the hacker’s attack technique is generally similar to the previous attack on PancakeBunny, which was to issue a large number of tokens and throw them to the market in a short period of time, and caused the HunnyToken coin price to plummet.

A brief analysis of the hacking of BSC on-chain project PancakeHunny

(II) Event Analysis
Chengdu Chain Security Team started tracking and analysis of the hacked code. According to the disclosed clues and attack transactions, the hacker mainly used the design flaw of HunnyMinter function to carry out the attack, as shown in the following figure.

A brief analysis of the hacking of BSC on-chain project PancakeHunny

It should be noted that the mintFor function is used to convert the fees charged into HunnyTokens and return them to the user; however, when reading the fees to be converted, it incorrectly uses balanceOf as a parameter and uses a fixed conversion ratio (1 BNB:3200 HunnyToken at that time) when converting HunnyTokens. ), which gave the hacker a chance to launch an attack.

A brief analysis of the hacking of BSC on-chain project PancakeHunny

The hacker first injected 56 cake tokens into the hunnyMinter contract; then called the getReward function in the CakeFilpValut contract, which indirectly triggered the mintFor function in hunnyMinter.

At this point in the hunnyMinter contract due to the existence of hackers into the cake, resulting in the ability to exchange a large number of HunnyToken; and the price of HunnyToken at this time, has exceeded the set fixed value, which makes here there is room for arbitrage. Subsequent hackers have been using the same method of arbitrage, until the project side set zero fixed exchange ratio hunnyPerProfitBNB.

A brief analysis of the hacking of BSC on-chain project PancakeHunny

(C) Event Review
It is easy to see that this incident is another hacking incident of imitation disk projects on BSC chain. Combined with the hacking experience of FORK projects such as Merlin and AutoSharkFinance in May, the attack trend of hackers against the imitation disk projects on BSC chain still continues to ferment. Here, Chengdu Chain Security reminds all FORK projects to pay special attention to security risks and strengthen security prevention work, do not slacken.

At the same time, for the development and innovation of the project itself, we suggest that developers need to have a deep understanding of the native project and not just copy and imitate it; especially in terms of security construction, in addition to synchronizing the security protection strategy of the native project, they also need to link the power of third-party security companies and establish a set of independent security risk control system to deal with all kinds of unexpected security risks.

Posted by:CoinYuppie,Reprinted with attribution to:https://coinyuppie.com/a-brief-analysis-of-the-hacking-of-bsc-on-chain-project-pancakehunny/
Coinyuppie is an open information publishing platform, all information provided is not related to the views and positions of coinyuppie, and does not constitute any investment and financial advice. Users are expected to carefully screen and prevent risks.

Like (0)
Donate Buy me a coffee Buy me a coffee
Previous 2021-06-05 00:32
Next 2021-06-05 00:38

Related articles