A sequence of assaults compromised a number of Binance Good Chain (BSC) initiatives in Could. Following PancakeBunny, its three forks initiatives — AutoShark, Merlin Labs, and PancakeHunny — had been additionally attacked utilizing comparable methods. PancakeBunny suffered the most expensive assault of the 4, which noticed almost $45M in complete damages. On this article, Dr. Chiachih Wu, Head of the Amber Group Blockchain Safety Staff, elaborates on the small print behind the assaults on the three copycats.
AutoShark was attacked 5 days after PancakeBunny, adopted by Merlin Labs and PancakeHunny, respectively. The next is an evaluation of the issues and potential assault methods for these three forked initiatives.
Within the SharkMinter.mintFor() operate, the quantity of rewarding SHARK tokens to be minted (i.e., mintShark) is derived from sharkBNBAmount computed by tokenToSharkBNB() in line 1494. Nevertheless, tokenToSharkBNB() references the present steadiness of flip, which makes it a susceptible level. One may assume that the quantity of tokens acquired in line 1492 is the same as the quantity of the flip steadiness. Nonetheless, a nasty actor may manipulate the flip steadiness just by sending in some flip tokens proper earlier than the getReward() name and not directly breaking the logic of tokenToSharkBNB().
Within the underlying implementation of tokenToSharkBNB() , there’s one other assault floor. As proven within the above code snippet, _flipToSharkBNBFlip() removes liquidity from ApeSwap (line 1243) or PantherSwap (line 1262) and converts the LP tokens into SHARK+WBNB. Afterward, the generateFlipToken() is invoked to transform SHARK+WBNB into SHARK-BNB LP tokens.
Inside generateFlipToken() , the present SHARK and WBNB balances of SharkMinter (amountADesired, amountBDesired) are used to generated LP tokens and the quantity of LP tokens are returned to mintFor() as sharkBNBAmount. Based mostly on that, the unhealthy actor may switch SHARK+WBNB into SharkMinter to govern the quantity of SHARK tokens to be minted as effectively.
The loophole in PancakeHunny is similar to that present in AutoShark, in that the unhealthy actor can manipulate HUNNY reward minting with HUNNY and WBNB tokens.
In comparison with AutoShark and PancakeHunny, Merlin Labs’ _getReward() has a extra apparent vulnerability.
The code snippet above exhibits that the performanceFee may very well be manipulated by the steadiness of CAKE, which not directly impacts the MERL rewards minting. Nevertheless, the nonContract modifier eliminates flash loans.
Even with out an exploit contract, the unhealthy actor may nonetheless revenue by a number of calls.
Reproducing AutoShark Assault
To breed the AutoShark hack, we have to first get some SHARK-BNB-LP tokens from PantherSwap. Particularly, we swap 0.5 WBNB into SHARK (line 58) and switch the remainder WBNB with these SHARK tokens into PantherSwap for minting SHARK-BNB-LP tokens (line 64). Afterward, we deposit these LP tokens into AutoShark’s StrategyCompoundFLIP contract (line 69) to qualify for rewards. Be aware that we purposely solely deposit half of the LP tokens in line 69.
The second step is to make getReward() go into the SharkMinter contract. Within the above code snippet, we all know that the reward will be retrieved by the earned() operate (line 1658). Apart from, 30% of the reward (i.e., performanceFee) must be higher than 1,000 (i.e., DUST) to set off the SharkMinter.mintFor() in line 1668.
Subsequently, in our exploit code, we switch some LP tokens to the StrategyCompoundFLIP contract in line 76 to bypass the performanceFee > DUST verify and set off the mintFor() name. Since we’d like a variety of WBNB+SHARK to govern SharkMinter, we leverage PantherSwap’s 100k WBNB through a flash-swap name in line 81.
Within the flash-swap callback, pancakeCall(), we alternate half of the WBNB into SHARK and ship the SHARK with the remaining 50,000 WBNB to the SharkMinter contract to govern the reward minting.
The following step is to set off getReward() when the SharkMinter receives the WBNB+SHARK tokens to mint a considerable amount of SHARK to the caller.
The final step is to transform SHARK to WBNB, pay the flash mortgage, and stroll away with the remaining WBNB tokens.
In our experiment, the unhealthy actor begins with 1 WBNB. With the assistance of flash loans, he income from greater than 1,000 WBNB being returned in a single transaction.
Reproducing PancakeHunny Assault
The idea behind the PancakeHunny assault is just like the AutoShark assault. Briefly, we have to ship a variety of HUNNY+WBNB to HunnyMinter earlier than triggering getReward(). Nevertheless, the HUNNY token contract has a safety mechanism referred to as antiWhale to stop great amount transfers. Subsequently, flash loans don’t work right here.
To bypass antiWhale, we create a number of youngster contracts and provoke a number of CakeFlipVault.deposit() calls through stated contracts.
Within the above exploit code snippet, the LP tokens gathered in line 116 are divided into 10 elements and transferred to 10 Lib contracts in line 122 adopted by Lib.put together() requires every of them.
Inside Lib.put together(), we approve() the CakeFlipVault to spend the LP tokens and invoke CakeFlipVault.deposit() to allow the later getReward() requires minting rewarding HUNNY tokens.
After getting ready 10 Lib contracts, the primary contract iterates every of them to: 1) swap WBNB to the utmost allowable quantity of HUNNY; 2) switch WBNB+HUNNY to HunnyMinter; 3) set off getReward() through lib.set off(); and 4) swap HUNNY again to WBNB.
Ultimately, the unhealthy actor with 10 WBNB earns round 200 WBNB from 10 runs of 10 Lib contracts operations.
Reproducing Merlin Labs Assault
As talked about earlier, Merlin Labs has the noContract modifier to do away with flash mortgage assaults. Nevertheless, we may use a script to set off the assault with a number of transactions initiated from an EOA (Externally Owned Account) tackle. The one distinction is that somebody could front-run the unhealthy actor’s transaction to steal the income.
Just like the AutoShark assault, we have to put together sufficient LINK and WBNB (line 23), use them to mint WBNB-LINK-LP tokens (line 34), and deposit LP tokens into VaultFlipCake contract (line 38).
The remaining actions are:
- Swapping WBNB to CAKE (line 42).
- Manipulating MERL minting by sending CAKE to VaultFlipToCake contract (line 50).
- Triggering getReward() in line 55 (a considerable amount of MERL tokens are minted).
- Swapping MERL again to WBNB and repeating the above steps a number of occasions.
As talked about earlier, if somebody entrance runs step 3 proper after step 2, that individual may take away a considerable amount of MERL.
In our experiment, the unhealthy actor begins with 10 WBNB and walks away with round 165 WBNB by repeating the 4 steps 10 occasions.
About Amber Group
Amber Group is a number one international crypto finance service supplier working world wide and across the clock with a presence in Hong Kong, Taipei, Seoul, and Vancouver. Based in 2017, Amber Group companies over 500 institutional shoppers and has cumulatively traded over $500 billion throughout 100+ digital exchanges, with over $1.5 billion in property beneath administration. In 2021, Amber Group raised $100 million in Sequence B funding and have become the newest FinTech unicorn valued at over $1 billion. For extra info, please go to www.ambergroup.io.