May 19, 2022
Analysis of Attack on Feminist Metaverse
On May 18th, 2022, according to the Beosin-Alert, Feminist Metaverse’s FmToken contract was exploited for about 1838 BNB (about 540,000 USD). Beosin security team analyzed the incident and the findings are shown below.
Feminist Metaverse is a Dao project on BSC chain。Official webiste: https://feministmetaverse.org/
Address of the hacker
Contract that launched the hack
1. the attacker address directly receives the FM_Token that is not credited to the liquidity pool through the skim function of the SakeSwapPair contract, probably also aware of the vulnerability in the FM_Token contract at this point.
2. Deploying the attack contract, which is used to speed up the extraction of FM_Token.
3. Transferring 10 FM_Tokens to the attack contract in preparation for the subsequent attack.
4. Invoking the attack contract, cyclically transferring FM_Token to the attacker’s address, triggering the operation of transferring FM_Token tokens from the FM_Token contract to SakeSwapPair, and finally extracting them to the attacker’s address through the skim function, with the following details.
4.1 Multiple transfers of small amounts of FM token to their own address using the created attack contract 0x0B8d…a10F.
4.2 Since the FM_Token contract balance has reached the standard 150,000 token for transferring to SakeSwapPair, each transfer triggers line 920 to increase the balance of FM token to SakeSwapPair. sakeSwapPair thus has a difference between token balance and reserve SakeSwapPair thus has a difference between token balance and reserve.
4.3 The attacker then calls the skim() function in SakeSwapPair to extract the difference in token balance to his own address.
5. Use pancakeswap to swap the FM token for the BNB
6. Repeat steps 4 and 5, and transfer the resulting 1838 BNBs to Tornado.cash
This attack mainly exploits the fact that the balance is added to Pair directly, but not written to Pair’s ledger. The attacker transfers the coins held by the FmToken contract address to the Pair contract through multiple transfers, and in this process the tokens transferred are not recorded in Pair’s own ledger. Since the Pair contract does not sync the received tokens to reserve, the attacker directly transfers the corresponding coins to his account via skim and then sells them for profit.
As of now, the stolen funds have been transferred to Tornado.cash.
In response to this incident, Beosin security team recommends:
- Do not transfer directly to the Pair contract.
2.when accessing non-standard tokens to Pair, the possible impact of token customization function on the Pair contract should be fully considered.
3.Before the project goes live, make sure to choose a professional security audit company to conduct a comprehensive security audit.
If you have need any blockchain security services, please contact us:
Related Project Secure Score
Guess you like
Investigation of Common Phishing Attacks in Web 3.0: Discord, Google Ads, Fake Domains and Others
May 25, 2022
Beosin Has Completed Security Audit Service of Clip Protocol
July 25, 2022
Beosin’s Detailed Analysis of FEGtoken Flashloan Attack
May 16, 2022
What is the impact on Web3 after LUNA’s crash and DeFi “fled” ?
May 13, 2022