December 11, 2023

Unveiling the Ethereum TIME Contract Hack: Exploiting ERC2771 Protocol Vulnerabilities for Profit



On December 7, 2023, according to Beosin EagleEye, the TIME contract on Ethereum fell victim to a hacker attack, resulting in a profit of approximately $188,000 for the attacker.


This was no ordinary attack.


Upon tracing the origins, it was discovered that on December 4, 2023, thirdweb issued a vulnerability advisory on their blog and official channels stating, “On November 20, 2023, we realized that there is a security vulnerability in the integration of a common open-source library pattern for web3 smart contracts. This vulnerability affects some pre-built smart contracts of Thirdweb, and we have reached out to the relevant project teams for mitigation.”


On December 7th, the TIME contract on Ethereum became the first project to fall victim to this security issue. Today, let’s uncover the truth behind this attack.


Protocol Background Overview

ERC2771 Native Meta Transaction Security Protocol:

The EIP 2771 protocol defines a contract-level protocol for the recipient contract to accept meta transactions through a trusted relay contract. No protocol changes are made. The protocol is designed to allow Ethereum to accept calls from external accounts that do not have ETH to pay for gas fees. The protocol sends valid msg.sender (called _msgSender()) and msg.data (called _msgData()) to the recipient contract by appending additional calldata. The intent is to let Ethereum accept calls from external accounts without ETH to pay for gas fees.


Due to the specific design, the msg.sender, as described in the protocol, is obtained through the _msgSender() function. This function checks whether the initiator is a trusted relay and, if so, intercepts the last 20 bytes of the incoming calldata as the initiator of the transaction.



Muticall Batch Processing Library:

Muticall is a feature library provided by OpenZeppelin Contracts for processing multiple calls in a single external call.


From the Time event, we can see that the Multicall() function in its codebase iterates through DelegateCall functions to process Calldata and call other functions in this contract.



TIME Contract Event Information

● Attack Transaction

0xecdd111a60debfadc6533de30fb7f55dc5ceed01dfadd30e4a7ebdb416d2f6b6

● Attacker’s Address

0xfde0d1575ed8e06fbf36256bcdfa1f359281455a

● Attack Contract

0x6980a47bee930a4584b09ee79ebe46484fbdbdd0

● Attacked Contract

0x4b0e9a7da8bab813efae92a6651019b8bd6c0a29


TIME Contract Event Vulnerability Analysis

This attack primarily exploited a Forwarder contract that called the multicall function of the TIME token. Due to the use of the ERC2771 native meta-transaction security protocol by the TIME token, the attacker maliciously forged _msg.sender, leading to the destruction of tokens in the pair. Ultimately, the attacker profited from the token’s price increase through exchanges.


TIME Contract Event Attack Flow

1. The attacker initially used 5 WTH to exchange for approximately 3.45 billion Time tokens as preparatory funds.



2. Subsequently, the attacker called the Forwarder’s execute function through signature verification, passing in malicious calldata as follows:



3. At this point, the execute function would call the req.to address (Time token address), package req.data and req.from address, and call the multicall function of the Time token. How did the hacker discard req.from? The hacker set the length (size) of data[1] to 0x38, causing multicall to truncate req.from when parsing data.



4. The multicall function called the burn function, destroying Time tokens in the pair as the caller.



5. Finally, the attacker called the sync function in the pair to synchronize the reserves, causing the price of Time tokens to rise.



In the end, the hacker exchanged the TIME tokens obtained during the preparation phase for ETH in the pair, resulting in a profit of $188,000. This attack event once again reminds us of the critical importance of smart contract security. Project teams must strengthen vulnerability identification and remediation efforts to ensure the sustainable development of the blockchain ecosystem and the security of user.


Contact

If you need any blockchain security services, welcome to contact us:

Official Website Beosin EagleEye Twitter Telegram Linkedin

Related Project

Related Project Secure Score

Guess you like
Learn More
  • TON’s Ambition to Bring Billions of Users to Web3 — What Are the Features of Its Smart Contract Development Language?

    December 07, 2023

  • Interpreting TON Ecology: An Overview of Popular Projects in the TON Ecosystem

    December 11, 2023

  • Analyzing the Viral Spread of xPet in the Web3 Space: A Security Perspective on the Recent Buzz

    December 12, 2023

  • A Night of Horror: Security Incident Analysis of Ledger Connect Kit

    December 18, 2023

Join the community to discuss.