May 16, 2022

Beosin’s Detailed Analysis of FEGtoken Flashloan Attack

On May 16, 2022, Beosin EagleEye monitored that FEGtoken’s FEGexPRO contract on both Ethereum and BNB Chain was exploited for about 3,280 BNB and 144 ETH by a flashloan attack. Beosin security team analyzed the incident and the findings are shown below.

FEGtoken Introduction

The FEGtoken project consists of the deflationary token FEG on Ethereum and BNB Chain and the FEGex multi-chain decentralized exchange. The official website:

Relevant Information

The attack contained multiple transactions, some of which are shown below.

Transaction hash:

0x77cf448ceaf8f66e06d1537ef83218725670d3a509583ea0d161533fda56c063 (BNB Chain)

0x1e769a59a5a9dabec0cb7f21a3e346f55ae1972bb18ae5eeacdaa0bc3424abd2 (Ethereum)

Hacker address:


Hacker contract:


Victim contract:

0x818e2013dd7d9bf4547aaabf6b617c1262578bc7 (BNB Chain)

0xf2bda964ec2d2fcb1610c886ed4831bf58f64948 (Ethereum)

Exploitation Flow

The exploitation flow is same on Ethereum and BNB Chain, and the following analysis is based on BNB Chain.

1. The hacker calls the attack contract (0x9a84…. .f445) to flashloan 915.84 WBNB from the DVM contract (0xd534… .0dd7), and then converts 116.81 WBNB into 115.65 fWBNB to prepare for the subsequent attack.

2. The hacker used the attack contract to create 10 contracts.

3. The hacker then stakes the redeemed fWBNB tokens to the FEGexPRO contract (0x818e…8bc7).

4. Then the hacker repeatedly calls the depositInternal and swapToSwap functions to let the FEGexPRO contract approve fBNB to the other contracts previously deployed.

5. Then the transferFrom function is called using other attack contracts to transfer all the fBNBs in the FEGexPRO contract to the attack contract (0x9a84….f445).

6. Next borrow 31,217,683,882,286.007211154 FEG tokens and 423 WBNB from LP trading pair contract (0x2aa7.. .6c14).

7. Repeat steps 3, 4 and 5 to steal a large amount of FEG tokens from the FEGexPRO contract into the attack contract.

8. Then return the flashloan and transfer the obtained WBNB to the attack contract to complete this attack.

9. More than 50 identical attacks have been executed using the same method, with a total profit of about 144 ETH and 3280 BNB.

Vulnerability Analysis

This attack mainly exploits the vulnerability that the path address in the swapToSwap function of the FEGexPRO contract can be controlled and the validity of the path address is not verified in the contract. Since the contract depends on the current token balance in the contract when updating the user balance in the depositInternal function, the attacker is able to pass in a malicious path address and the token balance in the contract will not change when the swapToSwap function is called, allowing the attacker to repeatedly reset the number of tokens recorded by the attack contract in the FEGexPRO contract, thus allowing the FEGexPRO contract to repeatedly approve its tokens to multiple malicious contracts controlled by the attacker.

Fund Tracing

As of this writing, the stolen funds are still at the attacker’s address (0x73b3…. .ff7c) without being transferred out.


In response to this incident, Beosin security team recommends:

1. When developing a project, attention should be paid to possible security risks when interacting with other contracts, and try to avoid setting key parameters to be controllable by the user. If the business requirements are such, the parameters input by the user need to be strictly judged as risky or not.

2. Before the project goes live, it is highly recommended to choose a professional security audit company for a comprehensive security audit to avoid security risks.


1.What is the impact on Web3 after LUNA’s crash and DeFi “fled” ?

2. How to Ensure the Security of NFT Under the Web 3.0 Boom?

3. DEUS Finance Suffered its Second Flashloan Attack This Year: Beosin’s Detailed Analysis

4. Beosin Has Completed Security Audit Service of Crypto LEGO ALG

5. What is the impact on Web3 after LUNA’s crash and DeFi “fled” ?

6. 「RECAP」AMA About How to Keep Your Smart Contract Secure During Development With Beosin VaaS


If you have need any blockchain security services, please contact us:

Website Email Official Twitter Alert Telegram LinkedIn

Related Project

Related Project Secure Score

Guess you like
Learn More
  • Beosin Has Completed Security Audit Service of Clip Protocol

    July 25, 2022

  • What is the impact on Web3 after LUNA’s crash and DeFi “fled” ?

    May 13, 2022

  • Beosin’s Detailed Analysis of Fortress’s Oracle Manipulation Attack

    May 09, 2022

  • Beosin Has Completed Security Audit Service of Alpha Quark: No Critical

    May 05, 2022

Join the community to discuss.