An article taking stock of the last two weeks of Flashloan vulnerability cases

Since May, the BSC eco-project has been continuously attacked by Flashloan, and the total loss has exceeded $157 million.

According to the May 2021 CipherTrace report, the theft, hacking and fraud in the crypto space reached $432 million by the end of April 2021, and Defi hacking cases accounted for more than 60% of all hacks, a figure higher than the 25% in 2020. The chart below makes it clear that DeFi hacking cases are increasing year by year, with approximately $130 million stolen in Q2 2021.

An article taking stock of the last two weeks of Flashloan vulnerability cases

Among the many cases of DeFi hacks, Flashloan is undoubtedly one of the most frequent types of hacks. flashloan is an unsecured, unsecured loan that can provide a large amount of money in a short period of time, and the smart contract for its loan must be completed in the same transaction it is lent to, so the borrower must use other smart contracts that help him close the transaction with the loan funds for an instant transaction. This leads to vulnerabilities in the code that hackers can exploit to manipulate pricing and profit from.

We have listed the following cases of Flash Loan hacks in the last two weeks.

  1. PancakeBunny BSC Eco

On May 19 PancakeBunny was attacked by a flash loan from an external developer. The hacker used PancakeSwap to borrow a large amount of BNB, and then continued to manipulate USDT/BNB and BUNNY/BNB prices, thus acquiring a large amount of BUNNY and selling it, resulting in a flash crash of BUNNY prices, and finally the hacker used This flash credit attack resulted in an estimated loss of 114,631.5421WBNB and 697,245.5699BUNNY, totaling about $45 million. The price of the token BUNNY once fell below $2, with a maximum drop of over 99% at one point.

  1. Bogged Finance BSC Eco

On May 22 hackers carried out a lightning loan attack on the BOG token contract pledge function vulnerability. The exploit was designed to deflate by charging 5% of the transfer amount. Specifically, of this 5% charge, 1% was destroyed and 4% was used as a fee for pledging profits. However, the implementation of the token contract only charges 1% of the transfer amount, but still deflates 4% as pledge profit. As a result, the attacker can use borrowing to significantly increase the pledge amount and repeatedly make automatic transfers to claim the inflated pledge profit. Afterwards, the attacker immediately sells the inflated BOG to gain about $3.6 million in WBNB.

  1. AutoShark BSC Ecology

AutoShark was attacked by lightning loans on May 24, and according to Slow Fog’s analysis.

1). Attackers lending large amounts of WBNB from Pancake’s WBNB/BUSD pairs.

2). Converting half of the total WBNB borrowed in step 1 to a large amount of SHARK via Panther’s SHARK/WBNB pair, while the number of WBNB in the pool increases.

3). Punch the WBNB and SHARK from steps 1 and 2 into SharkMinter in preparation for the subsequent attack.

4). Calling the getReward function in the WBNB/SHARK strategy pool in the AutoShark project, which draws a portion of the fees from the user’s profitable funds and rewards the user with SHARK tokens as contribution value, which is operated in the SharkMinter contract.

5). The SharkMinter contract will split the LP into WBNB and SHARK tokens after receiving the LP handling fee from the user’s profit, and reinsert them into the WBNB/SHARK pool of Panther.

6). Since the attacker in step 3 has already credited the corresponding tokens into the SharkMinter contract, the SharkMinter contract will use the WBNB and SHARK balance of the SharkMinter contract to add liquidity after removing liquidity, which includes the balance credited into the SharkMinter contract by the attacker in step 3. This balance includes the balance that the attacker injected into SharkMinter in step 3, resulting in the final contract getting the wrong balance for adding liquidity, i.e. the SharkMinter contract mistakenly thinks that the attacker injected a huge amount of fees into the contract.

7). After the SharkMinter contract gets the amount of fees, it will calculate the value of the fees through the tvlInWBNB function and then mint SHARK tokens to the user based on the value of the fees. However, the value of LP is calculated by dividing the real-time number of WBNBs in the Panther WBNB/SHARK pool by the total number of LPs to calculate how many WBNBs can be exchanged for LPs. high.

8). With the wrong value of LP and the wrong number of fees obtained, the SharkMinter contract ends up calculating a very large value when calculating the attacker’s contribution, resulting in the SharkMinter contract minting a large number of SHARK tokens to the attacker.

9). The attacker subsequently repays the lightning loan by selling SHARK tokens in exchange for WBNB. The attackers then left with a profit.

This incident caused the AutoShark coin price to flash crash to $0.01, a drop of over 99%.

  1. MerlinLabs BSC Eco

On May 26, the DeFi revenue aggregator MerlinLabs was attacked, and this attack was similar to PancakeBunny’s attack, with a loss of 200 ETH.

  1. JulSwap BSC Ecology

On May 27th DEX protocol and automated liquidity protocol JulSwap was attacked by lightning lending, and $JULB dropped over 95% in a short time.

  1. BurgerSwap BSC ecology

Automated market maker BurgerSwap is suspected to have been hit by a lightning lending attack, with more than 432,874 Burgers stolen, or about $3.3 million. The attackers have realized profits through 1inch. Some investors have lost almost 97%.

  1. Belt Finance BSC Eco

On May 29th Belt Finance suffered a lightning lending attack. The attackers used Lightning Lending to obtain over $6.2 million in funds from the Belt Finance protocol through 8 transactions and converted most of the funds into anyETH and withdrew them to ethereum. The loss was $6.2 million.

One thing the above hacked projects all have in common is that they all belong to the BSC ecosystem. Since May, BSC eco-projects have been continuously attacked by lightning loans, with a total loss of over $157 million. The huge amount of losses is also a wake-up call for developers: flash lending is something that developers must consider when creating smart contracts.

DeFi has long been considered the new paradigm of the future of finance and its emergence has allowed us to participate in a whole new range of financial transactions. However, due to the complexity of the technology stack, certain features can be abused in completely unrelated parts of the system, which in turn can cause huge losses, which not only hurts investors, but also tarnishes the project, the industry and discourages people outside the circle.

Posted by:CoinYuppie,Reprinted with attribution to:https://coinyuppie.com/an-article-taking-stock-of-the-last-two-weeks-of-flashloan-vulnerability-cases/
Coinyuppie is an open information publishing platform, all information provided is not related to the views and positions of coinyuppie, and does not constitute any investment and financial advice. Users are expected to carefully screen and prevent risks.

Like (0)
Donate Buy me a coffee Buy me a coffee
Previous 2021-06-03 19:29
Next 2021-06-03 19:32

Related articles