May 19, 2022

Analysis of Attack on Feminist Metaverse

On May 18th, 2022, according to the Beosin-Alert, Feminist Metaverse’s FmToken contract was exploited for about 1838 BNB (about 540,000 USD). Beosin security team analyzed the incident and the findings are shown below.

Feminist Metaverse is a Dao project on BSC chain。Official webiste:

Relevant Information

Transaction Hash:


Address of the hacker


Contract that launched the hack


Victim Contract


Exploitation Flow

1. the attacker address directly receives the FM_Token that is not credited to the liquidity pool through the skim function of the SakeSwapPair contract, probably also aware of the vulnerability in the FM_Token contract at this point.

2. Deploying the attack contract, which is used to speed up the extraction of FM_Token.

3. Transferring 10 FM_Tokens to the attack contract in preparation for the subsequent attack.

4. Invoking the attack contract, cyclically transferring FM_Token to the attacker’s address, triggering the operation of transferring FM_Token tokens from the FM_Token contract to SakeSwapPair, and finally extracting them to the attacker’s address through the skim function, with the following details.

4.1 Multiple transfers of small amounts of FM token to their own address using the created attack contract 0x0B8d…a10F.

4.2 Since the FM_Token contract balance has reached the standard 150,000 token for transferring to SakeSwapPair, each transfer triggers line 920 to increase the balance of FM token to SakeSwapPair. sakeSwapPair thus has a difference between token balance and reserve SakeSwapPair thus has a difference between token balance and reserve.

4.3 The attacker then calls the skim() function in SakeSwapPair to extract the difference in token balance to his own address.

5. Use pancakeswap to swap the FM token for the BNB

6. Repeat steps 4 and 5, and transfer the resulting 1838 BNBs to

Vulnerability Analysis

This attack mainly exploits the fact that the balance is added to Pair directly, but not written to Pair’s ledger. The attacker transfers the coins held by the FmToken contract address to the Pair contract through multiple transfers, and in this process the tokens transferred are not recorded in Pair’s own ledger. Since the Pair contract does not sync the received tokens to reserve, the attacker directly transfers the corresponding coins to his account via skim and then sells them for profit.

Fund Tracing

As of now, the stolen funds have been transferred to


In response to this incident, Beosin security team recommends:

  1. Do not transfer directly to the Pair contract.

2.when accessing non-standard tokens to Pair, the possible impact of token customization function on the Pair contract should be fully considered.

3.Before the project goes live, make sure to choose a professional security audit company to conduct a comprehensive security audit.


1.What is the impact on Web3 after LUNA’s crash and DeFi “fled” ?

2. How to Ensure the Security of NFT Under the Web 3.0 Boom?

3. DEUS Finance Suffered its Second Flashloan Attack This Year: Beosin’s Detailed Analysis

4. Beosin Has Completed Security Audit Service of Crypto LEGO ALG

5. What is the impact on Web3 after LUNA’s crash and DeFi “fled” ?

6. 「RECAP」AMA About How to Keep Your Smart Contract Secure During Development With Beosin VaaS


If you have need any blockchain security services, please contact us:

Website Email Official Twitter Alert Telegram LinkedIn

Join Coinmonks Telegram Channel and Youtube Channel learn about crypto trading and investing

Also, Read

Related Project

Related Project Secure Score

Guess you like
Learn More
  • Investigation of Common Phishing Attacks in Web 3.0: Discord, Google Ads, Fake Domains and Others

    May 25, 2022

  • Beosin Has Completed Security Audit Service of Clip Protocol

    July 25, 2022

  • Beosin’s Detailed Analysis of FEGtoken Flashloan Attack

    May 16, 2022

  • What is the impact on Web3 after LUNA’s crash and DeFi “fled” ?

    May 13, 2022

Join the community to discuss.