By : yudan@slow fog security team
secondary title
background feed
attack process
attack process
1. The attacker selects a trading pair in Sushi Swap, such as USDT/WETH, and then adds liquidity to obtain the corresponding SLP (USDT/WETH Liquidity Proof, hereinafter referred to as SLP), and uses the obtained SLP and another small amount of WETH to create a The new Sushi Swap transaction pair will then get the SLP1 (WETH/SLP(USDT/WETH) liquidity proof, hereinafter referred to as SLP1) of the new token pool and transfer it to the Sushi Maker contract.
2. Call the convert function of Sushi Swap, the incoming token0 is the SLP obtained in the first step, and the token1 is WETH. After calling the convert function, the Sushi Maker contract will call the burn function of the token pool composed of token0 and token1 to burn SLP1, burn the SLP1 that the attacker entered into the Sushi Maker contract in the first step, and get WETH and SLP.
3. The convert function of the Sushi Maker contract will then call the internal _toWETH function to convert the tokens obtained by burn into WETH, because in the second step, the Sushi Maker contract obtained SLP and WETH through burn. Among them, WETH does not need to be converted, only SLP needs to be converted. At this point, the conversion will be performed by calling the SLP/WETH transaction pair, which is the transaction pair created by the attacker in the first step. Since the Sushi Maker contract converts all balanceOf (token0) into WETH during conversion, the token0 passed in here is SLP, so the contract converts all SLP in the contract through the SLP / WETH transaction pair (the exchanged SLP includes USDT/ The income generated by each swap of WETH transaction and the SLP obtained by the contract through the burn function in the second step). The SLP / WETH token pool is created by the attacker. The attacker only needs to add a small amount of WETH at the time of initialization, and can exchange a small amount of WETH for the corresponding transaction in the Sushi Maker contract during the exchange process of the Sushi Maker transaction pair. All SLPs right.
Summarize
Summarize
The attacker uses SLP and WETH to create a new token pool, uses SLP1 of the new token pool to convert in Sushi Maker, uses a small amount of SLP to transfer all the SLP in the Sushi Maker contract to the token pool created by himself, All the handling fees of the corresponding trading pair within a certain period of time will be collected. And repeat the process for other trading pairs, continuing to make profits.
