• Advertise
  • Submit a Press Release
NewsBTC
Bitcoin & cryptocurrency news
Crypto.com Logo
  • Home
  • News
    • Bitcoin
    • Ethereum
    • Cardano
    • Dogecoin
    • Ripple
    • DeFi
    • NFT
    • Sponsored
    • Press Releases
  • Analysis
    • Bitcoin (BTC)
    • Ethereum (ETH)
    • Cardano (ADA)
    • Chainlink (LINK)
    • Litecoin (LTC)
    • Tezos (XTZ)
    • Zcash (ZEC)
    • EOS
    • YearnFinance (YFI)
  • Trading Course
  • Directory
    • Crypto Businesses
    • Bitcoin Brokers
    • Casinos
    • Sportsbooks
  • Play GamesTry
  • Bet & WinTry
No Result
View All Result
  • Home
  • News
    • Bitcoin
    • Ethereum
    • Cardano
    • Dogecoin
    • Ripple
    • DeFi
    • NFT
    • Sponsored
    • Press Releases
  • Analysis
    • Bitcoin (BTC)
    • Ethereum (ETH)
    • Cardano (ADA)
    • Chainlink (LINK)
    • Litecoin (LTC)
    • Tezos (XTZ)
    • Zcash (ZEC)
    • EOS
    • YearnFinance (YFI)
  • Trading Course
  • Directory
    • Crypto Businesses
    • Bitcoin Brokers
    • Casinos
    • Sportsbooks
  • Play GamesTry
  • Bet & WinTry
No Result
View All Result
NewsBTC
No Result
View All Result
BSC Flash Loan Attack
Nexo Logo

BSC Flash Loan Attack: The Three Copycats

NewsBTC by NewsBTC
11 months ago
in Company News
Reading Time: 6 mins read
Advertisement

A series of attacks compromised several Binance Smart Chain (BSC) projects in May. Following PancakeBunny, its three forks projects — AutoShark, Merlin Labs, and PancakeHunny — were also attacked using similar techniques. PancakeBunny suffered the most costly attack of the four, which saw nearly $45M in total damages. In this article, Dr. Chiachih Wu, Head of the Amber Group Blockchain Security Team, elaborates on the details behind the attacks on the three copycats.

Copycats

AutoShark was attacked five days after PancakeBunny, followed by Merlin Labs and PancakeHunny, respectively. The following is an analysis of the problems and possible attack techniques for these three forked projects.

5 BTC + 300 Free Spins for new players & 15 BTC + 35.000 Free Spins every month, only at mBitcasino. Play Now!

In the SharkMinter.mintFor() function, the amount of rewarding SHARK tokens to be minted (i.e., mintShark) is derived from sharkBNBAmount computed by tokenToSharkBNB() in line 1494. However, tokenToSharkBNB() references the current balance of flip, which makes it a vulnerable point. One could assume that the amount of tokens received in line 1492 is equal to the amount of the flip balance. Still, a bad actor could manipulate the flip balance simply by sending in some flip tokens right before the getReward() call and indirectly breaking the logic of tokenToSharkBNB().

In the underlying implementation of tokenToSharkBNB() , there’s another attack surface. As shown in the above code snippet, _flipToSharkBNBFlip() removes liquidity from ApeSwap (line 1243) or PantherSwap (line 1262) and converts the LP tokens into SHARK+WBNB. Later on, the generateFlipToken() is invoked to convert SHARK+WBNB into SHARK-BNB LP tokens.

BitStarz Player Lands $2,459,124 Record Win! Could you be next big winner?
Get 110 USDT Futures Bonus for FREE!

Inside generateFlipToken() , the current SHARK and WBNB balances of SharkMinter (amountADesired, amountBDesired) are used to generated LP tokens and the amount of LP tokens are returned to mintFor() as sharkBNBAmount. Based on that, the bad actor could transfer SHARK+WBNB into SharkMinter to manipulate the amount of SHARK tokens to be minted as well.

The loophole in PancakeHunny is identical to that found in AutoShark, in that the bad actor can manipulate HUNNY reward minting with HUNNY and WBNB tokens.

Compared to AutoShark and PancakeHunny, Merlin Labs’ _getReward() has a more obvious vulnerability.

The code snippet above shows that the performanceFee could be manipulated by the balance of CAKE, which indirectly affects the MERL rewards minting. However, the nonContract modifier gets rid of flash loans.

Even without an exploit contract, the bad actor could still profit through multiple calls.

Reproducing AutoShark Attack

To reproduce the AutoShark hack, we need to first get some SHARK-BNB-LP tokens from PantherSwap. Specifically, we swap 0.5 WBNB into SHARK (line 58) and transfer the rest WBNB with those SHARK tokens into PantherSwap for minting SHARK-BNB-LP tokens (line 64). Later on, we deposit those LP tokens into AutoShark’s StrategyCompoundFLIP contract (line 69) to qualify for rewards. Note that we purposely only deposit half of the LP tokens in line 69.

The second step is to make getReward() go into the SharkMinter contract. In the above code snippet, we know that the reward can be retrieved by the earned() function (line 1658). Besides, 30% of the reward (i.e., performanceFee) should be greater than 1,000 (i.e., DUST) to trigger the SharkMinter.mintFor() in line 1668.

Therefore, in our exploit code, we transfer some LP tokens to the StrategyCompoundFLIP contract in line 76 to bypass the performanceFee > DUST check and trigger the mintFor() call. Since we need a lot of WBNB+SHARK to manipulate SharkMinter, we leverage PantherSwap’s 100k WBNB via a flash-swap call in line 81.

In the flash-swap callback, pancakeCall(), we exchange half of the WBNB into SHARK and send the SHARK with the remaining 50,000 WBNB to the SharkMinter contract to manipulate the reward minting.

The next step is to trigger getReward() when the SharkMinter receives the WBNB+SHARK tokens to mint a large amount of SHARK to the caller.

The last step is to convert SHARK to WBNB, pay the flash loan, and walk away with the remaining WBNB tokens.

In our experiment, the bad actor starts with 1 WBNB. With the help of flash loans, he profits from more than 1,000 WBNB being returned in one transaction.

Reproducing PancakeHunny Attack

The theory behind the PancakeHunny attack is similar to the AutoShark attack. In brief, we need to send a lot of HUNNY+WBNB to HunnyMinter before triggering getReward(). However, the HUNNY token contract has a protection mechanism called antiWhale to prevent large amount transfers. Therefore, flash loans do not work here.

To bypass antiWhale, we create multiple child contracts and initiate multiple CakeFlipVault.deposit() calls via said contracts.

In the above exploit code snippet, the LP tokens gathered in line 116 are divided into 10 parts and transferred to 10 Lib contracts in line 122 followed by Lib.prepare() calls for each of them.

Inside Lib.prepare(), we approve() the CakeFlipVault to spend the LP tokens and invoke CakeFlipVault.deposit() to enable the later getReward() calls for minting rewarding HUNNY tokens.

After preparing 10 Lib contracts, the main contract iterates each of them to: 1) swap WBNB to the maximum allowable amount of HUNNY; 2) transfer WBNB+HUNNY to HunnyMinter; 3) trigger getReward() via lib.trigger(); and 4) swap HUNNY back to WBNB.

In the end, the bad actor with 10 WBNB earns around 200 WBNB from 10 runs of 10 Lib contracts operations.

Reproducing Merlin Labs Attack

As mentioned earlier, Merlin Labs has the noContract modifier to get rid of flash loan attacks. However, we could use a script to trigger the attack with multiple transactions initiated from an EOA (Externally Owned Account) address. The only difference is that someone may front-run the bad actor’s transaction to steal the profits.

Similar to the AutoShark attack, we need to prepare enough LINK and WBNB (line 23), use them to mint WBNB-LINK-LP tokens (line 34), and deposit LP tokens into VaultFlipCake contract (line 38).

The remaining actions are:

  1. Swapping WBNB to CAKE (line 42).
  2. Manipulating MERL minting by sending CAKE to VaultFlipToCake contract (line 50).
  3. Triggering getReward() in line 55 (a large amount of MERL tokens are minted).
  4. Swapping MERL back to WBNB and repeating the above steps multiple times.

As mentioned earlier, if someone front runs step 3 right after step 2, that person could remove a large amount of MERL.

In our experiment, the bad actor starts with 10 WBNB and walks away with around 165 WBNB by repeating the four steps 10 times.

About Amber Group

Amber Group is a leading global crypto finance service provider operating around the world and around the clock with a presence in Hong Kong, Taipei, Seoul, and Vancouver. Founded in 2017, Amber Group services over 500 institutional clients and has cumulatively traded over $500 billion across 100+ electronic exchanges, with over $1.5 billion in assets under management. In 2021, Amber Group raised $100 million in Series B funding and became the latest FinTech unicorn valued at over $1 billion. For more information, please visit www.ambergroup.io.

Tweet123Share196ShareSend
Win up to $1,000,000 in One Spin at CryptoSlots
NewsBTC

NewsBTC

Related Posts

Cryptocurrencies With Incredibly High Market Caps

Cryptocurrencies With Incredibly High Market Caps

5 hours ago
What’s Protocol Monetary Trade Policy, and Why Is it Such a Big Deal?

What’s Protocol Monetary Trade Policy, and Why Is it Such a Big Deal?

21 hours ago
Web3 Wallets Realize the Frontier Exploration of On-chain Addresses

Web3 Wallets Realize the Frontier Exploration of On-chain Addresses

1 day ago
Ethereum Rising Gas Fees are Still Concerning But Presents Opportunity For Decentralized Exchanges

Ethereum Rising Gas Fees are Still Concerning But Presents Opportunity For Decentralized Exchanges

1 day ago
REV3AL – NFT and Digital Asset Authentication Technology Launches on KuCoin June 30th

REV3AL – NFT and Digital Asset Authentication Technology Launches on KuCoin June 30th

2 days ago
A Comparison of Global Futures Trading Platforms Shows 5 Advantages of CoinEx Futures

A Comparison of Global Futures Trading Platforms Shows 5 Advantages of CoinEx Futures

2 days ago

Premium Partners

Top Brokers

PrimeXBT

PrimeXBT

Review · Visit

Top Casinos

BitStarz

BitStarz

Review · Visit
7BitCasino

7BitCasino

Review · Visit
BC.Game

BC.Game

Review · Visit
Punt Casino

Punt Casino

Review · Visit
mBit

mBit

Review · Visit
CryptoGames

CryptoGames

Review · Visit
Bspin

Bspin

Review · Visit

Sportsbooks

1xBit

1xBit

Review · Visit
BC.Game

BC.Game

Review · Visit

U Promise Me: The Digital Promise Platform

July 1, 2022

XT.com Lists Land of Fantasy (LOF) With USDT Trading Pair

July 1, 2022

LYOTRADE Launches Crypto Loans—Get USDT and Win Against Volatility

July 1, 2022

Torches Genesis NFT Launching, Win Torchlight NFT to Unlock IDO Allocation

June 30, 2022

Crypto News Flash: Best Meme Coins to Explore in Bear Market 2022 – Floki Inu (FLOKI), Akita Inu (AKITA) and RoboApe (RBA)

June 30, 2022

ABOUT US

NewsBTC is a cryptocurrency news service that covers bitcoin news today, technical analysis & forecasts for bitcoin price and other altcoins. Here at NewsBTC, we are dedicated to enlightening everyone about bitcoin and other cryptocurrencies.

We cover BTC news related to bitcoin exchanges, bitcoin mining and price forecasts for various cryptocurrencies.

COMPANY

  • Advertising
  • Comments Policy
  • Privacy Center
  • Sitemap
  • About Us
  • Contact

Technical Analysis

  • Bitcoin (BTC)
  • Ethereum (ETH)
  • Ripple (XRP)
  • Chainlink (LINK)
  • Cardano (ADA)
  • Tezos (XTZ)

LINKS

Crypto Prices from Nomics

Cryptocurrency news

  • Bitcoin
  • Ethereum
  • Ripple
  • Chainlink
  • Cardano
  • EOS
  • Tezos

© 2021 NewsBTC. All Rights Reserved.

  • Home
  • News
    • Bitcoin
    • Ethereum
    • Cardano
    • Dogecoin
    • Ripple
    • DeFi
    • NFT
    • Sponsored
    • Press Releases
  • Analysis
    • Bitcoin (BTC)
    • Ethereum (ETH)
    • Cardano (ADA)
    • Chainlink (LINK)
    • Litecoin (LTC)
    • Tezos (XTZ)
    • Zcash (ZEC)
    • EOS
    • YearnFinance (YFI)
  • Trading Course
  • Directory
    • Crypto Businesses
    • Bitcoin Brokers
    • Casinos
    • Sportsbooks
  • Play Games
  • Bet & Win

© 2021 NewsBTC. All Rights Reserved.

This website uses cookies. By continuing to use this website you are giving consent to cookies being used. Visit our Privacy Center or Cookie Policy.