Analysis2023-07-11

How a Fake Token Attack Drained $144,000 from Biswap Users on BSC

4 Minutes Read

Daniel Tan

Daniel Tan

Security Operation / Audit

Summary

Attacker exploited a vulnerability in the Biswap V3Migrator contract on BSC and stole about $144,000 worth of tokens

Summary

On July 1st, 2023, an attacker exploited a vulnerability in the Biswap V3Migrator contract on Binance Smart Chain (BSC) and stole about $144,000 worth of tokens from unsuspecting users. The attacker used a fake token attack to manipulate the parameters of the migration function and siphon off the liquidity from users who approved their liquidity provider (LP) tokens to the V3Migrator contract. The exploit was possible because the V3Migrator contract did not validate the parameters when migrating from Biswap V2 to Biswap V3. It could have resulted in losses of tens of millions of dollars for its users if this attack had not been stopped in time.

Transactions

The attacker executed three transactions to carry out the exploit: https://bscscan.com//tx/0xe13ec0941580d3c286b46fa6566f20195bdd52b3d65fc7ff4a953a8fc774c6c4 https://bscscan.com//tx/0xe5c89e9ac217e4e16c2399f3597f7b5fbb73b45c1d3360788ee51ea2561def3a https://bscscan.com//tx/0x8693a95f8481ba02ceaabed8e95b4e1eb8ac589c69c027c96b12ac5295714c3f

Attacker

The attacker’s address is [0xa1e31b29f94296fc85fac8739511360f279b1976].

Attacking Contract

The attacking contract is [0x1d448e9661c5abfc732ea81330c6439b0aa449b5]. This contract was deployed by the attacker on June 30th, 2023, one day before the exploit. The contract has a simple logic that calls the V3Migrator contract with different parameters.

Attacked Contract

The attacked contract is [0x839b0afd0a0528ea184448e890cbaaffd99c1dbf]. This is Biswap’s V3Migrator contract that was deployed on June 28th, 2023. The contract is supposed to help users migrate their LP tokens from Biswap V2 to Biswap V3.

Attacking Steps

The attacker exploited a flaw in the V3Migrator contract that allowed them to tamper with the parameters of the migration function. The attacking steps are as follows:

  1. Victims approved LP tokens for the Biswap V3Migrator contract;
  2. The attacker burned the victim’s V2 LP token and added V3 liquidity with fake tokens. At this step, the token0 and token1 of V2 LP were still in the V3Migrator contract;
  3. The attacker burned the fake V2 LP token and added V3 liquidity with token0 and token1 of V2 LP. Finally, the surplus token0 and token1 that were not used to add the V3 liquidity were transferred back to the attacker. At the same time, the V3 liquidity in this step also belonged to the attacker.

Root Cause

The root cause of the exploit is that Biswap’s V3Migrator contract did not validate the parameters when migrating from Biswap V2 to Biswap V3. Specifically, there is a significant issue in the contract: The contract does not verify that the token0 and token1 parameters match with the actual tokens in the V2 LP token; These issues allow the attacker to pass fake tokens and amounts to the migration function and steal the real tokens from the users who approved LP tokens to the V3Migrator contract.

Key Code

1280X1280.PNG

Asset Loss

0xa1e31b29f94296fc85fac8739511360f279b1976 get a profit of ~$144,000

Financial Flows

The attacker removed the liquidity and swapped tokens for $BNB 651882f2-4b7f-4d61-a5af-38688d719e94.png Finally, the attacker transferred 603 $BNB into Tornadocash for money laundering. output.png

PoC

1280X1280 (1).PNG

https://github.com/SunWeb3Sec/DeFiHackLabs/blob/main/src/test/Biswap_exp.sol

Suggested Solution

Highly recommend users revoke their approval to Biswap V3Migrator from https://bscscan.com/tokenapprovalchecker

Conclusion

The Biswap exploit is another example of how fake token attacks can be used to exploit DEXes on BSC. The exploit shows the importance of validating the parameters and balances of contracts that handle user funds. Users should also be careful when approving their tokens to third-party contracts and check the source code and audits of the contracts before using them.

As the leading web3 security service provider, MetaTrust Labs was the first to discover this attack and report it to Biswap on Twitter on July 1st. MetaTrust Labs also provided Biswap with two suggestions to stop the attack and prevent further losses:

  • Ask users to revoke their approvals for the V3Migrator contract as soon as possible, so that the attacker could not access their LP tokens anymore;
  • Delete their own tweet that promoted the V3 migration and informed users about the benefits of migrating their LP tokens, as this tweet could mislead users into falling victim to the attack. output (1).png If this attack had not been stopped in time, all of Biswap’s migration contracts would have suffered losses of tens of millions of dollars. This would have been a devastating blow to Biswap and its users, as well as a serious setback for the development of DEXes on BSC.

About Us

At MetaTrust, our primary focus is on creating a secure infrastructure that caters to the needs of developers in the WEB 3.0 space. We offer an array of AI-Driven automation tools and security services to assist Web3 developers and project stakeholders in achieving a secure development environment.

Website || Twitter || MetaScan for FREE

Share this article