CertiK: Lightning loan attacks occur frequently, take you back to the beginning and end of the attack on BT.Finance
本文约984字,阅读全文需要约4分钟
Flash loan attacks occur frequently, and CertiK will take you back to the attack on BT.Finance.
In 2020, frequent flash loan attacks have become the "new normal" in security incidents.In 2021, for hackers, flash loan attacks still seem to be "persevering".
On February 9th, Beijing time, the CertiK security technology team discovered that the smart DeFi revenue aggregator BT.Finance was hacked.BT.Finance has temporarily stopped deposits to Curve.fi to prevent another attack. The strategies under attack include ETH, USDC and USDT, and other strategies are not affected.BT.Finance stated that there are management funds for insurance and compensation. For the good development of investors and DeFi, it is hoped that hackers can return the funds.Additionally, BT.Finance withdrawal fee protection reduced the damage from this attack by almost $140,000. According to ICO Analytics, approximately $1.5 million of funds were affected.The CertiK security technical team immediately launched an analysis, and now analyzes the details of the attack process as follows:- The attacker first borrowed about 100,000 ETH from dydx using flash loans.
- The attacker deposited approximately 57,000 ETH into the Curve sETH pool.
- The attacker withdraws sETH from the Curve sETH pool. Due to the large amount of ETH deposited, the price of sETH rises. At this time, the attacker withdraws about 35,000 sETH.
- The attacker deposited about 4340 ETH into the bt.finance ETH policy pool.
- The attacker calls the earn function.
- The attacker deposits all the sETH withdrawn in step 3 into the Curve sETH pool and withdraws the ETH, and finally triggers the withdraw function of the bt.finance ETH policy pool to withdraw all the ETH stored in the pool.
- Repeat the above 2-5 steps 5 times, and return the flash loan to complete the profit.
Transactions made by the attacker in a single attacksafety advice
High returns must be accompanied by high risks.Almost every application block of the blockchain contains smart contracts, and security audits for the underlying code and design patterns are the top priority to protect the project.CertiK once again recommends that project parties pay attention to avoiding risks, and investors should check whether the project has a complete security review and subsequent security guarantees before investing.reference link
https://ethtx.info/mainnet/0xc71cea6fa00d11e98f6733ee8740f239cb37b11dec29e7cf85d7a4077977fa65
https://twitter.com/doug_storming/status/1358896348276391939?s=20
