Spirit Trace Security: Analysis of Pinecone Attacked

On August 19, the vault of Pinecone Finance, a revenue aggregation project on the BSC, was hacked and lost approximately 3.5 million PCT tokens (market value of approximately US$200,000).

As of the time of writing, the project team has issued a compensation plan for the users damaged in this attack: the project team and investors hold 4.91 million tokens, and all tokens will be used to compensate users.

Although the amount of damage caused by this attack is relatively small compared to the recent tens of millions and hundreds of millions of dollars, the amount of this attack still leaves us with experience and lessons worth learning.

The vulnerability of this attack is that the tokens used in the transfer process are depleted, and the contract does not handle this depletion properly, which leads to the vulnerability and the hacker attack.

Under normal circumstances, when transferring tokens (ERC-20, etc.) between users, if the tokens are not lost during the transfer process, the processing is relatively simple. But if certain tokens will be lost during the transfer process, you must be very careful when handling the transfer of such tokens.

In the Pinecone project, its token PCT is used as a pledge token for the fund pool, and there will be a loss of handling fees during the token transfer process of its contract design. The project counts this loss into the user’s share, so there will be a deviation between the user’s share and the pledged PCT total. This deviation can be used by the attacker to receive extra rewards.

Specifically, the vulnerable contracts in this attack include:

The PineconeFarm contract, its address is:

0x4099f27fb72788b7bb5cb64e3d2b865eb82d0f8f

The IPineconeStrategy, the strategy contract used by the farm contract, has the address:

0x1e542DB46eb87cc8E5fA8e1856eC53F89dc4bC89

The address of the PCT token contract is:

0x6019384a802310117a6E889e7021d2d0A144fE50

The relevant code snippets involved in the vulnerability are:

PineconeToke’s _transfer() function:

04EIA4vufqtpOCa9ElmH0wfsPLliX62yCoueNfEq.png

Here, the transferFrom of PineconeToken calls the _transfer() function. In _transfer(), the user will be charged for the transfer, so the actual amount received is smaller than the amount passed by transferFrom.

The deposit() function of the PineconeFarm contract:

YiDxizGf4qB3i7yuRq2ewyiO4EsdMnzkYWyWhr9P.png

In the above code, PineconeFarm pledges the deposited PCT to the IPineconeStrategy contract to obtain income. By using BSC’s vm trace tool, you can find that this IPineconeStrategy is a VaultRabbitCake contract. PineconeFarm uses _wantAmt to calculate the user share share. And this _wantAmt is related to the following function fragment.

The deposit() function of the strategy contract

DkQTFqft4q4kujMtyL9T972Si1389fJnq7eNHQs5.png

As can be seen from the above code, when calculating sharesAdded, its denominator is wantTotal, and wantTotal depends on balance(). balance is the associated total locked PCT balance. Since the actual PCT balance is less than the amount passed in by deposit _wantAmt, this will cause the user share to increase in the calculation.

Finally, when the attacker calls the withdraw function, he can redeem PCT tokens that exceed the pledge amount as long as he enters a parameter larger than the deposit value.

According to this mechanism, hackers can repeatedly call the deposit and withdraw functions during an attack, which leads to the continuous increase of PCT loss of contract pledge and the continuous reduction of the PCT balance held by the fund pool. Then when calculating the reward, because the balance in the fund pool is used as the denominator, the smaller the denominator, the more rewards that can be received.

After understanding the vulnerabilities and related mechanisms of the code, let’s look at one of the hackers’ many attacks:

In this attack, the hacker’s address is: 0xfc6682db7e9f57882e8b18ebc9adc7a19f770494, and the transaction process is as follows:

WChujQnnEAMByS6S4bSHneWXRnUYnRQebdKvLMEe.png

lYP22kc6CuoVxqaIS2pWIapsstsQf2rtAMvdMPpm.png

It can be seen that the first transaction 0xe446f pledged 81,000 PCT, and then when 0x76d33 withdrew the reward, it withdrew 160,000 PCT.

We continue to look at the parameters of the withdraw transaction, and we can see that the incoming amount value is 22603495a2af5d0ccc34, which is 160,000 when converted to a decimal number, which far exceeds the quality deposit amount of 81,000. The details are shown in the figure below:

znuOo2bQDZub7mnPBgptXrM4GSlQEfVTkWz27vc1.png

Judging from the cause of the vulnerability of this attack, tokens that were lost during transfer have more problems when participating in income projects. Therefore , Lingzong Security reminds the project party to fully consider the impact of loss on the calculation of revenue.

For such problems, Lingzong Security has always been specially emphasized with the project party during the audit. In addition, we also once again emphasize the importance of auditing in the project, and hope that the project party will fully perform the audit work before the project goes live.

About Lingzong Security:

Lingzong Security Technology Co., Ltd. is a company that focuses on blockchain ecological security. Lingzong Security Technology mainly serves many emerging and well-known projects through the integrated comprehensive program of “code risk detection + logic risk detection”. The company was established in January 2021. The team was created by a team with rich experience in smart contract programming and network security.

Team members participated in initiating and submitting a number of draft standards in the Ethereum field, including ERC-1646, ERC-2569, and ERC-2794, of which ERC-2569 was officially income by the Ethereum team.

The team participated in the initiation and construction of a number of Ethereum projects, including blockchain platforms, DAO organizations, on-chain data storage, decentralized exchanges and other projects, and participated in the security audits of multiple projects, based on this Based on the team’s rich experience, a complete vulnerability tracking and security prevention system has been built.

Author:

Yuefei Tan, CEO of Lingzong Security

Master of Industrial Engineering (Virginia Tech, Blacksburg, VA, USA). Served as a software engineer at AIBT Inc (San Jose, CA, USA), a Silicon Valley semiconductor company in the United States, responsible for the development of the underlying control system, the program implementation of the equipment manufacturing process, the design of the algorithm, and the comprehensive technical docking and communication with TSMC. Since 2011, he has been engaged in the research of embedded, Internet and blockchain technology. He is a teacher of the “Blockchain Introduction” course at the Entrepreneurship College of Shenzhen University, a visiting researcher at the Blockchain and Intelligence Center of Sun Yat-sen University, and an executive director of the Guangdong Financial Innovation Research Association. He owns 4 blockchain-related patents and 3 published works.

 

Posted by:CoinYuppie,Reprinted with attribution to:https://coinyuppie.com/spirit-trace-security-analysis-of-pinecone-attacked/
Coinyuppie is an open information publishing platform, all information provided is not related to the views and positions of coinyuppie, and does not constitute any investment and financial advice. Users are expected to carefully screen and prevent risks.

Like (0)
Donate Buy me a coffee Buy me a coffee
Previous 2021-08-24 13:36
Next 2021-08-24 13:37

Related articles