Card Bug “open salary” for yourself? Analysis of Daoswap attack events

On September 5, 2022, Beijing time, the CertiK audit team detected that Daoswap lost 580,000 USDT in an attack because the mining reward was greater than the fees charged during the exchange process and lack of verification, allowing users to set the inviter address as themselves .

Attack steps

① The attacker contract received a flash loan of $2.18 million from 12 addresses.

② The attacker contract uses DAORouter to exchange all flash-loaned USDT for DAO tokens. During the swap, the attacker contract receives DAO tokens from SwapToEarn as a reward in two ways:

a.  Token Rewards : This is for users who exchange tokens.

b.  Inviter reward : The attacker can arbitrarily set an “inviter” address when calling the function, which is equivalent to the referrer can also get the reward. In this case, the attacker contract sets the inviter address to itself.

③ The attacker contract uses the same method to exchange all DAO tokens back to USDT to get these two rewards again.

④ The attacker contract repeats steps ② and ③ several times. Because the attacker receives DAO tokens as a reward, he gets more USDT each time.

⑤ The attacker contract repays all borrowed funds and transfers the remaining USDT amount to the attacker.

Contract Vulnerability

DAOSwap includes a “swap-mining” reward, which is implemented as follows.

s3K7BAyxVXl6GNamfzdAyoSr6r8oZMStuIEcTxy0.png

After the swap in function _swap, the function swapCall in SwapToEarn.sol can be called.

XDA8ivvATH9tEBxsoSZ95kPOxD44FNeKA8GvqFEi.png

VqDB8r7o8gOBynquCY33cfRU6JFCn4pFBLG6OjZE.png

In the function swapCall, DAO tokens are transferred to the user and the inviter, both of whose addresses are passed as parameters.

1tBosBiMd5E9n6RP59SGLBihikMMwapT5W5Mjqle.png

When the function is called in _swap, we can see that the user is set as the message sender msg.sender, and the inviter comes from the input parameters.

uKEzZ3yn6oJvdnPey4fOYK0QQ84xDzUmvxe4A0er.png

The inviter address can be any address, as this address is not checked. The attacker was able to set the inviter as himself, and received an additional reward.

It’s worth noting that the attacker’s reward for being an inviter is about 20% of the total reward . Even if the attacker is not allowed to set the inviter address to himself, the attacker can still profit from the transaction.

The total profit from 6 trades is about 581,254 USDT.

Related transactions

Transaction ①:

https://bscscan.com/tx/0x414462f2aa63f371fbcf3c8df46b9a64ab64085ac0ab48900f675acd63931f23 

Transaction ②: https://bscscan.com/tx/0x6c859ae624002e07dac39cbc5efef76133f8af5d5a4e0c42ef85e47d51f82ae0 

Transaction ③:

https://bscscan.com/tx/0x3b1d631542eb91b5734e3305be54f305f26ab291b33c8017a73dcca5b0c32a1b 

Transaction ④: https://bscscan.com/tx/0xa7fdefcd80ba54d2e8dd1ab260495dca547993019d90f7885819bb4670b65bad 

Transaction ⑤:

https://bscscan.com/tx/0xf1368418344e21a1a09a2c1770ea301bf109ca3b387a59a79242a27d709195a7 

Transaction ⑥:

https://bscscan.com/tx/0x8eb87423f2d021e3acbe35c07875d1d1b30ab6dff14574a3f71f138c432a40ef 

write at the end

After the attack, CertiK’s Twitter alert account and the official alert system released the news as soon as possible. At the same time, CertiK will continue to publish information related to project warnings (attacks, frauds, running away, etc.) on the official public account.

CertiK’s end-to-end security solutions, from smart contract auditing and KYC project background check services, to blockchain analysis tools such as Skynet dynamic scanning system and SkyTrace, and bug bounty programs, help each project reach its full potential. At the same time, it creates an ecosystem with high participation of users and investors for Web3.0.

Posted by:CoinYuppie,Reprinted with attribution to:https://coinyuppie.com/card-bug-open-salary-for-yourself-analysis-of-daoswap-attack-events/
Coinyuppie is an open information publishing platform, all information provided is not related to the views and positions of coinyuppie, and does not constitute any investment and financial advice. Users are expected to carefully screen and prevent risks.

Like (0)
Donate Buy me a coffee Buy me a coffee
Previous 2022-09-07 00:09
Next 2022-09-07 10:27

Related articles