Smart Contract Exploits in April

Written by olympix | Published 2023/04/27
Tech Story Tags: web3 | web3-security | smart-contracts | cybersecurity | crypto-security | security | cryptocurrency-hacks | good-company | hackernoon-es | hackernoon-hi | hackernoon-zh | hackernoon-vi | hackernoon-fr | hackernoon-pt | hackernoon-ja

TLDRThe Ocean Life Token on the BNB chain has been exploited for $11K. An attack on Hundred Finance resulted in a loss of $7M. Yield Finance suffered an exploit this morning, resulting in losses potentially over $11 million due to a misconfiguration in its yUSDT contract.via the TL;DR App

Ocean Life   |  Amount Lost: $11K

The Ocean Life Token on the BNB chain has been exploited for $11K. The attacker initially borrowed wrapped BNB using flash loans and swapped these funds to get $OLIFE tokens. The exploit contract had a vulnerability where the total balance state did not get updated internally before an external call was made. The private reflectFee function had decreased the total value to 969 WBNB worth of OLIFE tokens. However, the balance of the pool did not get updated correctly and the attacker was able to swap 1,001 WBNB and make a profit of 34 WBNB.

Exploit Contract (BNB Chain): 0xb5a0ce3acd6ec557d39afdcbc93b07a1e1a9e3fa

Transaction Hash (BNB Chain): 0xa21692ffb561767a74a4cbd1b78ad48151d710efab723b1efa5f1e0147caab0a

Hundred Finance   |  Amount Lost: $7M

An attack on Hundred Finance resulted in a loss of $7M. The hacker used flash loans and donated 500 WBTC to Hundred Finance's CErc20 Contract, with the intention to manipulate the exchange rate of Hundred WBTC (hWBTC). The attack contract deposited the WBTC funds into child contracts, which are utilized to mint hWBTC.

Subsequently, the child contract redeemed nearly all of the WBTC funds, except for 2 wei, causing the total supply of hWBTC to be 2 wei. The attacker then donated 500 WBTC to Hundred's CErc20 Contract, which inflated the exchange rate to nearly 1 wei hWBTC = 250 WBTC.

Taking advantage of this inflated rate, the attacker borrowed 1022 WETH with 2 wei of underlying assets. After borrowing the WETH funds, the attacker was able to withdraw the 500 WBTC that was previously donated to Hundred's CErc20 Contract due to a rounding error, and eventually repaid the flash loan.

Exploit Contract (Optimism): 0x74b8932801bfbf63B44b001d77e62c808B1e2d12

Transaction Hash (Optimism): 0x6e9ebcdebbabda04fa9f2e3bc21ea8b2e4fb4bf4f4670cb8483e2f0b2604f451

Yearn Finance   |  Amount Lost: $11M

Yield Finance suffered an exploit this morning, resulting in losses potentially over $11 million due to a misconfiguration in its yUSDT contract. The attacker flash loaned DAI, USDC, and USDT and used some of the funds to repay other people's debts on the Aave v1 Lending Pool, lowering the priority of the Aave pool within the Yearn contract.

The Yearn contract contained a hard-coded lender contract address for Fulcrum which used iUSDC as the underlying asset instead of iUSDT. This caused the Yield contract to miscalculate the yield-to-deposit ratio. The attacker was able to mint an excessive amount of yUSDT by depositing a small amount of USDT. The attacker then swapped yUSDT to DAI and ETH.

Exploit Contract: 0x83f798e925BcD4017Eb265844FDDAbb448f1707D

Metapoint   |  Amount Lost: $920K

MetaPoint on BNB Chain suffered a $920K hack due to a vulnerability in their deposit contract function. The exploit happened because every time a user deposited $POT to the pool, a new smart contract was generated, and $META tokens were deposited to it. The new smart contract had a public approve function that allowed unrestricted access to the deposited tokens, enabling the attacker to drain them. MetaPoint team announced the hack and suspended all operations.

One of the exploited smart contracts with the approve function(): 0x086f403461478F6aE7b81d9654f96f65AbDfAC29

Paribus   |  Amount Lost: $20K

An attack on Paribus resulted in the loss of approximately $20,000. The attacker borrowed 200 ETH and 30,000 USDT using a flash loan and deposited the tokens into the Paribus protocol. The deposited funds were used as collateral to borrow additional ETH from the pETH pool. The attacker exploited a reentrancy vulnerability during the pToken redeems function. According to the Paribus Post-Mortem update, the non-reentrant modifier failed to update the storage prior to the transfer. The attacker was able to borrow additional funds while the deposited pETH balance remained unchanged.

Interested in learning more about Olympix?

Olympix is a paradigm shift in Web3 protection. It offers proactive detection, enabling you to identify and prioritize smart contract vulnerabilities while you code. Its intuitive nature makes security an integral part of the development process, with security-first thinking embedded at every stage.

Here are some links to get you started:

https://www.olympix.ai/ - Our website where you can sign up to join our Beta / Discord https://twitter.com/Olympix_ai - Get updates on exploits, product updates

https://tinyurl.com/3fwyhpub - April 25 Newsletter, subscribe for more

Also published here.

Written by olympix | Olympix is a DevSecOps tool that puts security in the hands of the developer by proactively securing code from day one.
Published by HackerNoon on 2023/04/27
ABOUTHow hackers start their afternoons. We publish tech stories and build publishing software.

READEntirely free library read by hundreds of millions to learn anything about any technology.

WRITEHackerNoon elevates quality technology writing far and wide across the interwebs.

PARTNERHackerNoon works directly with tech companies to place ads by content relevancy