1/ We detect a hack on @ThoreumFinance. Hacker (0x1ae2dc57399b2f4597366c5bf4fe39859c006f99) has gained ~2000 BNB and deposited to tornado (via 0x1285fe345523f00ab1a66acd18d9e23d18d2e35c). #Web3#Hacking
@ThoreumFinance 2/ we think the root cause is in the "transfer" func. In the Tx, when 0x7d1e1901226e0ba389bfb1281ede859e6e48cc3d calls transfer to itself, its balance will increase. By repeating doing this, it ends with 500k+ $THOREUM tokens
@ThoreumFinance 3/ in the same tx, all gained $THOREUM tokens are swapped to WBNB and send to 0x1285fe345523f00ab1a66acd18d9e23d18d2e35c, which later deposit into Tornado. Since no source code is verified, the analysis is based on our Akkala emulator.
10,000,000,000,000 aBNBc Token was minted in tx: 0xe367d05e7ff37eb6d0b7d763495f218740c979348d7a3b6d8e72d3b947c86e33, and sent to addr: 0xf3a465c9fa6663ff50794c698f600faa4b05c777. These aBNBc token is being swapped to USDC and WBNB now
/2 0xf3a465c9fa6663ff50794c698f600faa4b05c777 is transferring $$ out via Tornado and cBridge now
1/ Our monitor system found token MBC bscscan.com/address/0x4e87… was hacked. @CXH21294765@Moonbirds_Club. Hack(0x9cc3270de4a3948449c1a73eabff5d0275f60785) gained around 5.6k BUSD and transferred to contract 0xad2D2CB5F91e7AdEE7b029958A58fE6a38e282EB
@CXH21294765@Moonbirds_Club 2/ The root cause is that the MBC contract use function addLiquidity() wrong and also it accidentally exposed the interface as public. The function swapAndLiquifyStepv1() use the balance of address(this) as the desired reserve amount which mean to keep the reserves.
@CXH21294765@Moonbirds_Club 3/ The problem is that when it try to add liquidity it is *AFTER* the swap, hacker use flashloan() borrowed 150k BUSD to swap 11.6k MBC token. The token ratio dropped from 1.13:1 to 0.0053:1. And then swapAndLiquifyStepv1() will use the latest(0.0053:1) as the reserved ratio.
@AURofficial_ 2/ It seems a hack. Attacker 0x6903499751f973052155df339116b6c6b24ac24b use contract 0x3d743b2f760a431cc20047cb5c7758c9a8860d6b to call createNode() with 0.01 BNB in TX bscscan.com/tx/0xb3bc6ca25….
@AURofficial_ 3/ Due to the lack of permission check on the function call changeRewardPerNode(), attacker could change that value to a huge number which will be used to calculate node rewards.