Review｜Analysis of IT token hacking

By:Sissice

background

On March 14, 2024, according to intelligence from the SlowMist security team, the IT token on the BSC chain was attacked, and the attacker made a profit of approximately US$15,200. The SlowMist security team analyzed the attack incident and shared the results as follows:

(https://twitter.com/SlowMist_Team/status/1768104947541840111)

Related Information

Attacker address:

0xB495573Cd2246e7cc7D6d2B37d779463295e5ab0

Attack contract address:

0x9A2287E3122441F9657bB01b5f8c3cAbB3F4C6f2

Attack transaction:

0xdd2c446bbc98acb6649f949108536438c1d2bdd728955b4166d0efcde81c55aa

0x0c8e64ed42c360b5bbc1ac9cf31c3d6fd66f0f2ab014ef3df00220b3846963af

0x5e7ecbef2cab00144f427fe167c854710df1373853c43f268827b88ad845f976

0x6a951db7d919a0ac4e3085c88d341475542ba83628585eb808f6b9e5b668bb52

0xb33057f57ce451aa8cbb65508d298fe3c627509cc64a394736dace2671b6dcfa

Attack the core

The attacker uses the transfer function in IT tokens to issue additional tokens to the pool based on the number of exchange tokens, gradually increasing the reserve of IT tokens in the pool, thereby manipulating prices, and continuously redeeming BSC- in the pool. USD profit.

transaction analysis

1. The attacker first borrows a flash loan of 2000 BSC-USD to attack the contract.

2. Then the attacker used 100 BSC-USD to perform three consecutive transfer-swap operations in the pancake pool (0xcfbb39).

The attacker will transfer the specified amount of IT and BSC-USD tokens to the attack contract (0xcfbb39) when swapping in 0x7265_PancakePair. Then follow the logic in the IT token transfer function. When the IT token is transferred out of 0x7265_PancakePair, the mintToPoolIfNeeded function will be called to issue additional tokens to the pool.

However, the number of minted tokens is calculated based on the number of transferred tokens and the reserve amount of tokens in the pool, which results in the reserve of IT tokens in the pool increasing each time a loan is taken, while the value of tokenUsdtRate continues to decrease. , then the value of tokenMinReserveAfterBuy will continue to increase, and finally more IT tokens are minted in the pool. The attacker uses this to control the price of the tokens during each exchange, so that it can use a fixed 100 BSC-USD to Take out the BSC-USD tokens in the pool.

3. After the above three repeated operations, the attacker finally extracted an additional 208 BSC-USD from the pool, and used these profits to exchange for a large number of self-created tokens (0x7c82a1) in the 0xcaba_PancakePair pool, driving up the currency price.

4. The attacker repeated the attack 4 times using the same method. After all attacks were completed, he smashed the market and used the garbage token (0x7c82a1) in his hand to make a profit by dumping BSC-USD.

This method of using the profits from attack transactions to drive up the price of junk tokens, then smashing the market and then reversing the profits after the attack is completed, hides the flow of funds from the attack transactions. And since spam tokens are created by attackers, their transfer function does not emit events. If viewed in most on-chain analysis tools, there will be an illusion that the attacker has not profited.

Summarize

The core of this attack is that every time IT tokens are transferred out of the pool, it will cause more tokens to be minted in the pool, allowing the price of tokens in the pool to be manipulated. The SlowMist security team recommends that project parties should consider the impact of direct changes in pool reserves on token prices when designing token models to avoid token transfers that significantly affect the balance of the pool.

热点：token IT TOKEN