CertiK first release: encrypted version of lossless “reverse credit card” profit million dollar FEG flash loan attack incident analysis

At 4:22:49 a.m. on May 16, 2022, Beijing time, the CertiK security technical team detected that FEG suffered a large-scale flash loan attack on the Ethereum and BNB chains , resulting in a loss of assets worth about $1.3 million.

This attack is caused by a vulnerability in the “swapToSwap()” function, which directly uses the ” path” entered by the user as a trusted party without screening and validating the incoming parameters, allowing unauthenticated The “path” parameter (address) to use the current contract’s assets.

Therefore, by repeatedly calling “depositInternal()” and “swapToSwap()”, the attacker can obtain permission to use the current contract’s assets without restrictions , thereby stealing all the assets in the contract.

One of the affected contract addresses: https://bscscan.com/address/0x818e2013dd7d9bf4547aaabf6b617c1262578bc7

Vulnerability Trading

Vulnerability address: https://bscscan.com/address/0x73b359d5da488eb2e97990619976f2f004e9ff7c 

Vulnerable transaction sample: https://bscscan.com/tx/0x77cf448ceaf8f66e06d1537ef83218725670d3a509583ea0d161533fda56c063

Stolen Funds Tracking: https://debank.com/profile/0x73b359d5da488eb2e97990619976f2f004e9ff7c/history

Related address

Attacker address: https://bscscan.com/address/0x73b359d5da488eb2e97990619976f2f004e9ff7c

Attacker contract: https://bscscan.com/address/0x9a843bb125a3c03f496cb44653741f2cef82f445

FEG token address: https://bscscan.com/token/0xacfc95585d80ab62f67a14c566c1b7a49fe91167

FEG Wrapped BNB(fBNB): https://bscscan.com/address/0x87b1acce6a1958e522233a737313c086551a5c76#code

Attack steps

The following attack flow is based on this vulnerability transaction: https://bscscan.com/tx/0x77cf448ceaf8f66e06d1537ef83218725670d3a509583ea0d161533fda56c063

① The attacker borrows 915 WBNB and deposits 116 BNB into fBNB.

② The attacker created 10 addresses for use in subsequent attacks.

5X74sFmnNT4bWamFzDk165Mz611Wg5GdC8PdICkk.png

③ The attacker deposits fBNB into the contract FEGexPRO by calling “depositInternal()”.

According to the balance of the current address, “_balances2[msg.sender]” is incremented.

5omFRJY9h5pXlG12A63p2nzHlS5CCwl8jbSO6QVX.png

④ The attacker calls “swapToSwap()”, and the path parameter is the address of the previously created contract.

This function allows “path” to get the 114 fBNB of the FEGexPRO contract.

lutOP4eS85bn6lvoqfzKafB6DH13ben5ByHDWM2y.png

⑤ The attacker repeatedly calls “depositInternal()” and “swapToSwap()” (steps ③ and ④), allowing multiple addresses (created in step ②) to acquire fBNB tokens for the following reasons:

  • Every time “depositInternal() ” is called, _balance2[msg.sender] will increase by about 114 fBNB.
  • Every time “swapToSwap()” is called, the contract created by the attacker can obtain the usage rights of the 114 fBNB.

⑥ Since the attacker controls 10 addresses, each address can spend 114 fBNB from the current address, so the attacker can steal all the fBNB in ​​the attacked contract.

1JzU3zUHgvvrTi1BexgqSlmIWa5Sf8wuasvypZrg.png

⑦ The attacker repeats steps ④⑤⑥ to exhaust FEG tokens in the contract.

KpRpbkIKgPaDQThQSDXJMIbABixmggmgYAsm729T.png

⑧ Finally, the attacker sells all the depleted assets and repays the flash loan, and finally gets the rest of the profit.

Where to go

As of May 16, 2022 6:43, the stolen funds are still stored in the attacker’s wallet (0x73b359d5da488eb2e97990619976f2f004e9ff7c) on the Ethereum and BSC chains.

Original funding from Tornado cash in Ethereum and BSC: https://etherscan.io/tx/0x0ff1b86c9e8618a088f8818db7d09830eaec42b82974986c855b207d1771fdbe

https://bscscan.com/tx/0x5bbf7793f30d568c40aa86802d63154f837e781d0b0965386ed9ac69a16eb6ab

The attackers attacked 13 FEGexPRO contracts , the following is an overview:

eN7SQhBDicajHCg3Ejkzgi66ldjeyFtkQ1gVI7J1.png

Posted by:CoinYuppie,Reprinted with attribution to:https://coinyuppie.com/certik-first-release-encrypted-version-of-lossless-reverse-credit-card-profit-million-dollar-feg-flash-loan-attack-incident-analysis/
Coinyuppie is an open information publishing platform, all information provided is not related to the views and positions of coinyuppie, and does not constitute any investment and financial advice. Users are expected to carefully screen and prevent risks.

Like (0)
Donate Buy me a coffee Buy me a coffee
Previous 2022-05-16 10:11
Next 2022-05-16 10:12

Related articles