October 28, 2022

Beosin’s Analysis of Team Finance’s $13M Exploit

On October 27, 2022, Beosin EagleEye reported that Team Finance on Ethereum was exploited for over $13M. The hacker illegally migrated WTH, CAW, USDC, TSUKA tokens from V2 liquidity pool to V3 liquidity pool by exploiting the vulnerability of the migrate function in LockToken contract, disrupted the Initialize price of V3 liquidity pool via sqrtPriceX96 to obtain a large amount of refund arbitrage. Beosin security team analyzed the incident and the results are as follows.

Related information

Attack transaction


Attacker’s address



Attack contract


Victim contract


Attack Flow

1. The migrate function of the victim contract (LockToken contract) supports the user to migrate the specified Uniswap-V2 liquidity to Uniswap-V3 liquidity. A part of the tokens will be refunded to the user based on the price after migration. The call to the function require: lock ID, lock time, and withdrawable address.

2. Pre-attack preparation: the attacker 0x161ce…5899Fd first deployed the attack contract 0xCFF07C4e6aa9E2fEc04DAaF5f41d1b10f3adAdF4 as well as created the token contract 0x2d4abfdcd1385951df4317f9f3463fb11b9a31df (token A).

3. The attacker calls the lockToken function in the LockToken contract, performs four locks of token A created by himself, and sets the withdrawal address to the attack contract address, and obtains four NFTs as LP (ids 15324, 15325, 15326, 15327).

The lockToken function can lock the user’s tokens and mint a NFT token as a LP token. The type, number, withdraw address, and the locking time of the locked token can all be specified.

4. Call the extendLockDuration function in the LockToken contract to adjust the locking time corresponding to each NFT token. At this point, the preparation is completed.

5. The attack contract queries the LockToken contract for the number of specified LP tokens and returns the result as part of the attack parameters.

The attacker calls the migrate function, and due to the prior preparation of the NFT, the verification of the migrate function regarding the id and lock time, and the withdraw address are all bypassed. The NFT id obtained by locking the token A can participate in the migration of the FEG-WETH pair, without detecting whether the user’s lock is the same as the one being operated, and the parameter sqrtPriceX96, which is related to the price calculation of the UNI-V3 migration, is also input by the user.

6. The attack contract uses four NFTs prepared in advance to obtain the migration refunds for the four tokens: WETH, DAI, CAW, and TSUKA, all of which were sent to the 0xBa399a2580785A2dEd740F5e30EC89Fb3E617e6E address.

Vulnerability analysis

This attack mainly exploits a vulnerability in the migrate function of the LockToken contract. The validation of migrate is easily bypassed and can manipulate the price during migration.

Fund flow

The stolen funds are 880.258 ETH, 642,9327.6 DAI, 74,6136,5757,7043 CAW, 1183,7577.7 TSUKA, with a total value of about $13 million, which remain in the attacker’s address 0xBa399a2580785A2dEd740F5e30EC89Fb3E617e6E.


In response to this incident, Beosin security team recommends that

1. Carefully verify parameters of important functions, especially user-controllable parameters.

2. Choose a professional security audit company before the project goes live.


If you have need any blockchain security services, please contact us:

Website Email Official Twitter Alert Telegram LinkedIn

Related Project

Related Project Secure Score

Guess you like
Learn More
  • Beosin and ChainUp have entered into a strategic partnership

    October 28, 2022

  • Beosin: Blockchain Security Weekly Recap of M10W4

    October 30, 2022

  • Beosin Blockchain Security Monthly Recap of October: $980.04M lost in attacks

    October 31, 2022

  • Beosin KYT: an On-chain Expert to Meet All Your AML Needs

    November 10, 2022

Join the community to discuss.