text
This article is reproduced from Zhifan Technology, and is reproduced with authorizationIn just over 20 days in May 2021, four flash loan attack arbitrage incidents occurred on the BSC Binance Smart Chain, with a total loss of more than 78 million US dollars.
The techniques and principles of the four attacks are similar. Zhifan Technology will summarize and compare the attack principles and techniques of the four incidents, and hope that the project parties and users will be more vigilant.
Before starting to analyze security incidents on the BSC chain, you need to understand some basic concepts, such as the meaning of flash loans, the profit model of Defi projects, etc.
What is flash loan
Flash loan is to complete the loan and repayment in one chain transaction without collateral. Since an on-chain transaction can include multiple operations, developers can add other on-chain operations between borrowing and repayment, making such borrowing more imaginative and meaningful. The function of the flash loan is to ensure that the user does not need to mortgage to realize the loan repayment, and if the funds are not returned, the transaction will be restored, that is, all the operations performed before are undone, so as to ensure the security of the agreement and funds.
Here we take PancakeSwap as an example. PancakeSwap is an automated market maker (AMM) platform on the Binance Chain. Users can trade digital assets through this platform. However, unlike the traditional trading model, the user's trading object is a liquidity pool. These pools hold the funds of other users. Users inject funds into the pool and receive tokens from liquidity providers ("LPs"). They can then use these tokens in exchange for their share of funds and earn a portion of transaction fees. In short, users can trade tokens on the platform and earn rewards by adding liquidity.
first level title
1. Analysis purpose
Sort out the cause of the incident
Security tips for project parties and users
first level title
AutoShark Finance
2. Event analysis
On May 25, 2021, Beijing time, Binance Chain (BSC) DeFi protocol AutoShark Finance was attacked by flash loans.
Hackers minted 100 million SHARK tokens and sold them in large quantities in a short period of time, causing the price of SHARK to crash rapidly, from $1.2 to $0.01. The funds of all users in the fund pool are still safe, and this attack did not cause the project party to lose funds.
The hacker exploited the getReward function vulnerability in the WBNB/SHARK strategy pool in the project (the balance calculation for adding liquidity was wrong), and thus used the SharkMinter contract to mint a large amount of SHARK tokens for profit.
The contract finally calculated a very large value when counting the hacker's contribution, which caused the SharkMinter contract to mint a large number of SHARK tokens for the attacker.
image description
Screenshot of AutoShark's attacked transaction
Bogged Finance team loses $3.62 million in flash loan attackOn May 22, 2021, Beijing time, Zhifan Technology tracked and discovered that the Binance Chain (BSC) DeFi protocol Bogged Finance was hacked.。
The specific performance is that hackers conduct flash loan arbitrage attacks on the logic error of the _txBurn function in the BOG token contract code
In the BOG contract code, 5% of the transaction amount should be charged as a transaction fee for all transactions. At the same time, transfers to oneself are allowed. In the process of self-transfer, only 1% of the transaction fee will be deducted.However, in this attack, the attacker increased the amount of the pledge through flash loans, and then used the contract’s transaction review bias for the self-transfer type (the transfer address was not verified in the _transferFrom function) to add, and finally remove the liquidity to complete the attack process.
image description
Screenshot of Bogged Finance’s attacked transaction
PancakeBunny Lightning Attack Loses Over $45 Million
On May 20, 2021, Beijing time, Zhifan Technology tracked and found that attackers used contract loopholes to borrow large amounts of funds from PancakeSwap and ForTube liquidity pools, and continuously increased the number of BNB in the BNB-BUNNY pool. In the bunnyMinterV2 contract, about 7 million BUNNY tokens were minted, and some of them were exchanged into BNB to repay the flash loan, and there were profits of 697,000 BUNNY and 114,000 BNB.
image description
Screenshot of PancakeBunny’s attacked transaction
Spartan Protocol was attacked and lost about 30 million US dollars
On May 2, 2021, Beijing time, the DeFi project Spartan was attacked by hackers with flash loans. SpartanSwap applies the AMM algorithm of THORCHAIN.This algorithm uses Liquidity-sensitive fee toSolve liquidity cold start and slippage problems
, but there are loopholes in this algorithm.
When removing liquidity, it will calculate how many corresponding tokens the user's LP can obtain based on the real-time number of tokens in the pool. Due to algorithm loopholes (there is no slippage correction mechanism when removing liquidity), at this time it will be more than adding Liquidity means more tokens, so hackers only need to repeatedly add and remove liquidity to gain profits from excess tokens.
Spartan Protocol Attacked Transaction Screenshot
first level title
3. Summarize the attack methods on the BSC chain
Hackers raised funds through the BSC flash loan platform (PancakeSwap)
Arrange automated contracts for the exchange of BNB and platform tokens
Put tokens into the platform contract pool to get LP token rewards
Returning Borrowed Flash Loan Funds
Quickly transfer the acquired assets to Ethereum through the cross-chain bridge platform (Nerve)
Step 1: Hackers obtain large sums of money from lending platforms
Step 2: Deploy automated attack contracts to attack exchange price oracles
Step 3: Obtain arbitrage space through token price differences
Step 5: Transfer profits across chains to Ethereum to prevent being tracked
first level title
4. Safety Tips
According to the above analysis, it is a very common method for hackers to obtain benefits from the logic loopholes of the project party. Every time a new platform is attacked, other platform managers should be more vigilant, and immediately check whether there are the same or similar loopholes in their own code, so as to protect their reputation and financial security.
