An analysis of four lightning loan attacks on BSC Coin Smart Chain

Every time a new platform is attacked, other platform managers should be more vigilant and check and review their own code for the same or similar vulnerabilities at the first time, so as to protect their reputation and capital security.

In just over 20 days in May 2021, four lightning loan attack arbitrage events occurred on BSC Coin Smart Chain, with a total loss of funds well over $78 million. There are similarities in the techniques and principles of the four attacks. Zhi Fan Technology will summarize and compare the attack principles and techniques of the four incidents, hoping that the majority of project parties and users will be more alert.

Before we start to analyze the BSC on-chain security events, we need to understand some basic concepts, such as the meaning of lightning loans, the profit model of Defi project, etc.

What is a lightning loan

A lightning loan is a loan and repayment completed in one on-chain transaction without collateral. Since one on-chain transaction can contain multiple operations, it allows developers to add other on-chain operations between borrowing and repayment, making such lending a lot more imaginative and meaningful. The function of Lightning Lending is to ensure that users can borrow and repay without collateral and that if the funds are not returned, the transaction is reverted, i.e. all previously performed operations are undone, thus securing the agreement and the funds.

Profit model of the Defi program

Here is an example of PancakeSwap, an automated market maker (AMM) platform on the Coin Onchain, where users can trade digital assets, but unlike traditional trading models, they trade against pools of liquidity. These pools are where other users’ funds accumulate. Users inject funds into the pools and receive tokens from liquidity providers (i.e., “LPs”). They can then use these tokens to exchange for their share of the funds and earn a portion of the transaction fees. In short, users can trade tokens on the platform and also earn rewards for adding liquidity.

  1. Purpose of analysis
    Sort out the reasons for the incident

Summarize the hacking techniques

Security tips for project parties and users

2、Event Analysis
AutoShark Finance

On May 25, 2021 Beijing time, AutoShark Finance, a DeFi protocol of BSC, was attacked by a lightning loan.

Hackers minted 100 million SHARK tokens and sold them in large quantities for a short time, causing the SHARK price to flash crash from $1.20 to $0.01 quickly. The funds of all users in the pool were still safe and the attack did not cause any loss of funds for the project.

The hackers exploited a vulnerability in the getReward function of the project’s WBNB/SHARK strategy pool (the balance to add liquidity was calculated incorrectly), thus using the SharkMinter contract to mint a large number of SHARK tokens for profit.

The hacker first borrowed a large amount of WBNB from Pancake, exchanged a large amount of SHARK in the AutoShark SHARK/WBNB pool, and minted both tokens into the SharkMinter contract while the amount of WBNB in the pool increased. The contract mistakenly believes that the attacker has punched in a huge amount of fees into the contract and causes the contract to calculate the wrong LP value due to the very high number of WBNBs.

The contract ended up calculating a very large value when counting the hacker’s contribution, resulting in the SharkMinter contract minting a large amount of SHARK tokens to the attacker.

An analysis of four lightning loan attacks on BSC Coin Smart Chain

Screenshot of AutoShark Attacked Transactions

Bogged Finance Team Loses $3.62 Million Due to Lightning Lending Attack

On May 22, 2021 Beijing time, ZhiFan Technology tracked and found that Bogged Finance, the DeFi protocol of the BSC chain, was hacked, specifically as a lightning loan arbitrage attack on the logic error of the _txBurn function in the BOG token contract code.

In the BOG contract code, 5% of the transaction amount should have been charged as a transaction fee for all transactions, while allowing transfers to itself, with only a 1% fee deducted during the self-transfer process.

However, in this attack, the attacker increases the amount of pledges through lightning loans, then uses the contract to add a large amount of liquidity for liquidity mining by using the deviation in the audit of transactions of the self-transfer type (the transfer address is not verified in the _transferFrom function), and repeatedly profits from self-transfers, and finally removes the liquidity to complete the attack process.

An analysis of four lightning loan attacks on BSC Coin Smart Chain

Bogged Finance Attacked Transaction Screenshot

PancakeBunny Lightning Attack Loses Over $45 Million

PancakeBunny is a revenue aggregator associated with PancakeSwap, the largest decentralized exchange on the TVL on the BSC chain.

On May 20, 2021 Beijing time, Knowfan Technology tracked and found that attackers exploited the contract vulnerability to borrow large amounts of money from the PancakeSwap and ForTube liquidity pools in lightning, kept increasing the amount of BNB in the BNB-BUNNY pool, and later minted about 7 million BUNNY tokens in the bunnyMinterV2 contract, partially After exchanging them for BNB to repay the lightning loan, there are still profits of 697,000 BUNNY and 114,000 BNB.

An analysis of four lightning loan attacks on BSC Coin Smart Chain

PancakeBunny Attacked Transaction Screenshot

Spartan Protocol was attacked and lost about $30 million

On May 2, 2021 Beijing time, DeFi project Spartan was attacked by a hacker’s lightning loan. spartanSwap applies THORCHAIN’s AMM algorithm.

This algorithm uses a liquidity-sensitive fee to solve the liquidity cold start and slippage problem, but the algorithm is vulnerable.

The hacker, like the previous lightning lending attacks, first borrows WBNB from PancakeSwap and then converts the WBNB into SPARTAN to deposit in the liquidity pool in exchange for LP token.

When removing liquidity, the number of tokens in the pool in real time will be used to calculate how many tokens corresponding to the user’s LP can be obtained. Due to the algorithm vulnerability (no slippage correction mechanism when removing liquidity), more tokens will be obtained at this time than when adding liquidity, so the hacker can simply repeat adding and then removing liquidity to obtain extra tokens for profit.

An analysis of four lightning loan attacks on BSC Coin Smart Chain

Screenshot of Spartan Protocol attacked transactions

3、Summary of BSC on-chain attack techniques
Hackers raise money through BSC’s lightning loan platform (PancakeSwap)

Deploy automated contracts to exchange BNB and platform tokens

Credits tokens into the platform contract pool to get LP token rewards

Returning borrowed lightning loan funds

Fast transfer of acquired assets to ethereum via cross-chain bridge platform (Nerve)

Step 1: Hackers obtain large sums of money from the lending platform

Step 2: Deploy automated attack contracts to attack the exchange price prediction machine

Step 3: Gain arbitrage through token price difference

Step 4: Return the lightning loan funds

Step 5: Do cross-chain transfer of profits to ethereum to prevent being traced

4, security tips
From the above analysis, we know that it is a very common means for hackers to start from the project side logic vulnerability to gain benefits. Every time a new platform is attacked, other platform managers should be more vigilant, the first time to check and review their own code for the same or similar vulnerabilities, so as to protect their reputation and capital security.

At the same time, ZhiFan Technology reminds users that when a project is attacked, they need to pay more attention to the same chain or similar projects. If the user has invested in a similar project, it is even more important to pay attention to the project’s code or the network has not made an assessment of the security of the project to assist in judging the security of the project.

Posted by:CoinYuppie,Reprinted with attribution to:
Coinyuppie is an open information publishing platform, all information provided is not related to the views and positions of coinyuppie, and does not constitute any investment and financial advice. Users are expected to carefully screen and prevent risks.

Like (0)
Donate Buy me a coffee Buy me a coffee
Previous 2021-06-19 02:07
Next 2021-06-19 02:12

Related articles