0x1 Background of the event

Zero time science and technology blockchain security intelligence platform monitors the message , Beijing time. 2022 year 6 month 6 Japan Binance On the chain Discover Smart contract is attacked by flash loan . At zero hour, the science and technology security team timely analyzed this security incident .

0x2 Attacker information

• Attacker's wallet ：

0x446247bb10B77D1BCa4D4A396E014526D1ABA277

• The attacker contract ：

0x06b912354b167848a4a608a56bc26c680dad3d79

0xfa9c2157cf3d8cbfd54f6bef7388fbcd7dc90bd6

• Attack trading ：

0x8a33a1f8c7af372a9c81ede9e442114f0aabb537e5c3a22c0fd7231c4820f1e9

0x1dd4989052f69cd388f4dfbeb1690a3f3a323ebb73df816e5ef2466dc98fa4a4

• ETHpledge contract ：

0xe732a7bD6706CBD6834B300D7c56a8D2096723A7

0x3 Attack analysis

The attacker's main attack transaction process ：

1. adopt PancakeSwap Flash loans are borrowed separately 2100 gold USD and 19810 gold USD.
2. take 2000 gold USD Transfer to ETHpledge contract 0xe732a.ETHpledge Contract return 62,536 gold Discover.
3. take 19,810 gold USD Return the lightning loan to BSC-USD-Discover.
4. take 62,536 gold Discover Exchange for USD, get 16,336 gold USD.
5. The return 2,100 gold Flash loan , Put the rest USD Exchange for BNB, Profit out .

0x4 Vulnerability details

ETHpledge.team

ETHpledge.pledgein The function of the method is , The caller is transferred to USDT After receiving a certain proportion of the funds Discover Tokens, , Transfer in here USDT The money is in pledgein Method execution , receive Discover The logic of token is ETHpledge.team Method realization , Get the price logic in ETHpledge.getprice Method realization .

Vulnerability resolution

Attacker calls ETHpledge.pledgein The method used to borrow a large amount of money through lightning loans USDT Money , bring usdt.balanceOf Less money , Then call ETHpledge.pledgein Method will be a small amount of USDT into , Then call ETHpledge.getprice Method to get the price , because usdt.balanceOf Reduce , therefore _price smaller ,_swapprice smaller , Of the final transfer amount curTamount The variable increases . So as to exchange Discover The number of tokens increased .

In exchange for a large amount of Discover After the token , The attacker then promptly returned a larger sum USDT Flash loan . Subsequent use Discover Tokens are usually exchanged for more USDT.

0x5 The flow of money

At present, hackers have made profits 49 gold BNB Transfer to Tornado.Cash Mixed currency platform .

 0x6 summary

The attack mainly controlled the price through the lightning loan funds , Cause the exchange quantity to fluctuate , For such security incidents , It is recommended not to use externally controllable funds to obtain prices , Avoid flash loan attacks affecting official and user assets , In addition, a comprehensive safety audit shall be conducted before the contract goes online , Avoid possible safety risks .