According to the news from Slow Fog, Impossible Finance, a DeFi project of BSC, was attacked by a lightning loan. The Slow Fog security team first intervened to analyze and share the results as follows.
Analysis of the attack details
Impossible Finance’s DEX architecture refers to Uniswap v2, but differs in the implementation of the Pair. cheapSwap and swap interfaces are implemented in Impossible Pair. cheapSwap function restricts calls to Router contracts, while swap function restricts calls to Router contracts. The cheapSwap function is restricted to Router contracts, while the swap function can be invoked by any user to exchange tokens. The root cause of this attack lies in this special token exchange architecture, so we will analyze the attack in detail.
First, the attackers used lightning loans to borrow a large amount of WBNB from PancakeSwap and eventually exchanged it for IF (Impossible Finance tokens).
The attacker then creates a token AAA (BBB) under his control and adds liquidity with the IF token obtained in the previous step.
The attacker then converts the AAA tokens to BUSD tokens by passing in a customized exchange path (AAA -> IF -> BUSD) through Router, and the problem occurs during this exchange process. Through the on-chain logs, we can easily find that the attacker performed two conversion operations during the conversion of AAA tokens to IF tokens.
Why is the swap operation performed twice during a single exchange?
By analyzing the specific internal call flow, we can find that the attacker calls the swap function of the Pair contract at the same time as the Router contract calls the transferFrom function of the AAA contract to transfer AAA tokens to the Pair contract (i.e., the transferFrom function implements the The transferFrom function implements the logic of a normal transfer and a swap call). The normal token exchange is then performed by the cheapSwap as expected by the project design.
From the above analysis, we can see that the attacker performs two token exchange operations by calling the swap function and cheapSwap function respectively during one token exchange, and finally receives additional BUSD tokens. So since the swap operation is performed, theoretically each swap operation will lead to a change in the K value, which eventually prevents the user from getting the expected tokens.
However, by analyzing the specific logic of Impossible Pair’s swap function and cheapSwap function, we find a surprising situation: the swap function performs a K-value check, while the cheapSwap function performs an update operation without a K-value check. This leads the attacker to perform multiple exchange operations to obtain additional BUSD.
- The attacker first lends WBNB via PancakeSwap lightning loan and converts WBNB into IF tokens.
- Create a malicious token contract AAA(BBB) and add AAA tokens and IF token liquidity in Impossible.
- Perform the exchange of AAA tokens to BUSD tokens via the AAA -> IF -> BUSD path, and perform an IF token to BUSD exchange operation during the transfer of AAA tokens into the Pair contract for IF tokens, followed by the normal cheapSwap operation. Finally, additional BUSD tokens are obtained.
- After that, repeat the above operation to make profit.
The core of this attack is that no K-value check is performed in the cheapSwap function, which allows the attacker to obtain additional tokens by performing multiple exchange operations during a single exchange. The Slow Fog security team recommends that the DeFi protocol should be fully checked and validated in its new model to avoid such security incidents when innovating based on other projects.
Posted by:CoinYuppie，Reprinted with attribution to:https://coinyuppie.com/the-unbelievable-hacking-tour-impossible-finance-hacking-analysis/
Coinyuppie is an open information publishing platform, all information provided is not related to the views and positions of coinyuppie, and does not constitute any investment and financial advice. Users are expected to carefully screen and prevent risks.