Cause of the incident
On May 28, 2021, it was reported that JulSwap, a DEX protocol and automated liquidity protocol on the BSC chain, was attacked by lightning lending, and KnowCreative Blockchain Security Lab was the first to analyze the attack and share the results of the attack briefly for reference and research.
- The transaction records show that the attacker borrowed 70,000 JULB tokens through the lightning loan, and then called the JULB-WBNB transaction pair for exchange to get 1400 BNBs, at which point the attacking contract had 1400 WBNBs in it.
- The attacking contract then calls the addBNB function of the JulProtocolV2 contract (0x41a2F9AB325577f92e8653853c12823b35fb35c4) to perform collateral mining. The function is to transfer in WBNB, the contract will calculate the corresponding number of JULB tokens needed to add liquidity mining, and then will record the number of transferred WBNB for collateral mining, the function code is shown below.
- Since the lightning loan exchanged for WBNB, the JulProtocolV2 contract incorrectly calculated that 14.4w JULB tokens could add liquidity to the trading pair with 515 WBNB and transferred the lp tokens to the JulProtocolV2 contract. At this point the attacking contract has 885 WBNBs left.
- The attacker then converts the remaining WBNB to JULB. Since a large number of JULB tokens are added to the pair for liquidity, only 363 WBNB are needed to exchange 7w JULB tokens for loan repayment, leaving 885-363=522 WBNB in the contract. The attacker completed a lightning loan arbitrage by transferring these WBNB to the wallet address.
The CEO of JULBSWAP tweeted on twitter that the incident was due to the arbitrage caused by the lightning loan, the official will replace the new version and try to start buying back JULB tokens to compensate users. The lab will continue to follow up if there are new developments in the follow-up, and we remind all project parties to do a good job of code audit testing in the defi project, especially in some changes to the original functional requirements must do a good job of data testing and security control.
Posted by:CoinYuppie，Reprinted with attribution to:https://coinyuppie.com/julswap-lightning-loan-attack-analysis-and-incident-follow-up/
Coinyuppie is an open information publishing platform, all information provided is not related to the views and positions of coinyuppie, and does not constitute any investment and financial advice. Users are expected to carefully screen and prevent risks.