Hackers’ attack on Paraluni acquired more than $1.7 million

Background

At 8:04 on 13th March 2022 (HKT), Paraluni, a meta-universe financial project on the BSC chain, was attacked by hackers, who acquired more than $1.7 million. Preliminary analysis by OKLink as follow:

•  Hacker funds come from the flash loan of Pancakeswap;
• The problem lies in the “depositByAddLiquidity” method of the MasterCheif contract, which does not verify whether the token array parameter “address[2] memory _tokens” matches the LP mapped by the PID parameter, and does not add a “Re-entry Lock” when the LP amount changes.

At present, the account balance of the hacker’s address 0x94bc on the BSC chain is 3000.01 BNB (about $1,125,800), and another 235.45 ETH (about $608,600) uses cBridge to reach the ETH 0x94bc through cross-chain.

Of the 235.45 ETH transferred to the ETH network through cross-chain, 230 ETH (about $594,500) flowed into Tornado in five transactions, accounting for 1/3 of the overall profit-making funds.

Analysis

The 0x70f3 attack transaction is as follows:

• The hacker 0x94bc constructed the attack contract 0x4770 in advance, an ERC20 contract UBT 0xca2c that changed the TransferFrom method, and another contract UGT. Then the hacker called the “depositLp” method of the contract 0x4770 to start the attack;

• Using the flash loan of PancakeSwap, about 155,000 USDT and BUSD were loaned;

• Call addLiquidity of ParaRouter contract to add 155,000 BUSD_ USDT liquidity, 155,000 LP_ BUSD_ USDT and transferred to UBT contract;

• Call the “depositByAddLiquidity” method of the MasterCheif contract, add the liquidity of 1 UBT and 1 UGT, and set the PID parameter to 18 (representing Lp_BUSD_USDT);

“depositByAddLiquidity” calls the internal function “depositbyaddliquityinternal”, which does not verify the LP and token arrays.

• “depositByAddLiquidityinternal” calls the “addLiquidityInternal” internal method. The statement “paraRouter.addLiquidity” makes the transferFrom method of UBT effective. The transferFrom method of UBT contract is suspected to be non-standard ERC20. This method calls the deposit method of the MasterChef contract.

We note that in the addliquidityinternal method, the old LP balance is recorded first, then addliquidity is called, then the new LP balance is recorded, and finally the actual number of deposits is obtained with the new old. However, due to the triggering of UBT’s transferfrom, the assignment of the new LP balance is blocked, and the old LP balance fails to reflect the latest number of deposits. Therefore, the UBT contract has a deposit share of 155,000 LP, Attack contract an also has a deposit share of 155,000 LP;

• UBT and attack contract a respectively extract the LP in MasterCheif into the attack contract;

• After removing the liquidity, there are about 310,000 USDT and 310,000 BUSD in the attack contract;

• After returning the flash loan, the hacker made about 155,000 USDT and 155,000 BUSD.

Summary

A reentry attack is a vulnerability caused by the characteristics of the solidity smart contract and the improper writing of the smart contract.

The problem lies in the depositByAddLiquidity method of the MasterCheif contract of the project party, which does not verify the token array parameter address[2] memory_ Whether the tokens are consistent with the LP pointed to by the PID parameter, and the lock entry is not aggravated when the LP amount changes.

This attack reminds us that in the contract method involving the change of amount, we must pay attention to the reentry vulnerability and try to use the reentry lock modifier.