On October 27, 2022, Beosin EagleEye reported that Team Finance on Ethereum was exploited for over $13M. The hacker illegally migrated WTH, CAW, USDC, TSUKA tokens from V2 liquidity pool to V3 liquidity pool by exploiting the vulnerability of the migrate function in LockToken contract, disrupted the Initialize price of V3 liquidity pool via sqrtPriceX96 to obtain a large amount of refund arbitrage. Beosin security team analyzed the incident and the results are as follows.

Related information

Attack transaction

0xb2e3ea72d353da43a2ac9a8f1670fd16463ab370e563b9b5b26119b2601277ce

Attacker’s address

0x161cebB807Ac181d5303A4cCec2FC580CC5899Fd

0xBa399a2580785A2dEd740F5e30EC89Fb3E617e6E

Attack contract

0xCFF07C4e6aa9E2fEc04DAaF5f41d1b10f3adAdF4

Victim contract

0xE2fE530C047f2d85298b07D9333C05737f1435fB



Attack Flow

1. The migrate function of the victim contract (LockToken contract) supports the user to migrate the specified Uniswap-V2 liquidity to Uniswap-V3 liquidity. A part of the tokens will be refunded to the user based on the price after migration. The call to the function require: lock ID, lock time, and withdrawable address.

2. Pre-attack preparation: the attacker 0x161ce…5899Fd first deployed the attack contract 0xCFF07C4e6aa9E2fEc04DAaF5f41d1b10f3adAdF4 as well as created the token contract 0x2d4abfdcd1385951df4317f9f3463fb11b9a31df (token A).

3. The attacker calls the lockToken function in the LockToken contract, performs four locks of token A created by himself, and sets the withdrawal address to the attack contract address, and obtains four NFTs as LP (ids 15324, 15325, 15326, 15327).

The lockToken function can lock the user’s tokens and mint a NFT token as a LP token. The type, number, withdraw address, and the locking time of the locked token can all be specified.

4. Call the extendLockDuration function in the LockToken contract to adjust the locking time corresponding to each NFT token. At this point, the preparation is completed.

5. The attack contract queries the LockToken contract for the number of specified LP tokens and returns the result as part of the attack parameters.

The attacker calls the migrate function, and due to the prior preparation of the NFT, the verification of the migrate function regarding the id and lock time, and the withdraw address are all bypassed. The NFT id obtained by locking the token A can participate in the migration of the FEG-WETH pair, without detecting whether the user’s lock is the same as the one being operated, and the parameter sqrtPriceX96, which is related to the price calculation of the UNI-V3 migration, is also input by the user.

6. The attack contract uses four NFTs prepared in advance to obtain the migration refunds for the four tokens: WETH, DAI, CAW, and TSUKA, all of which were sent to the 0xBa399a2580785A2dEd740F5e30EC89Fb3E617e6E address.

Vulnerability analysis

This attack mainly exploits a vulnerability in the migrate function of the LockToken contract. The validation of migrate is easily bypassed and can manipulate the price during migration.

Fund flow

The stolen funds are 880.258 ETH, 642,9327.6 DAI, 74,6136,5757,7043 CAW, 1183,7577.7 TSUKA, with a total value of about $13 million, which remain in the attacker’s address 0xBa399a2580785A2dEd740F5e30EC89Fb3E617e6E.

Summary

In response to this incident, Beosin security team recommends that

1. Carefully verify parameters of important functions, especially user-controllable parameters.

2. Choose a professional security audit company before the project goes live.

Contact

If you have need any blockchain security services, please contact us:

Website Email Official Twitter Alert Telegram LinkedIn