On February 10, 2023, some reflection mechanism tokens on BNB Chain were attacked and spread to multiple tokens. MetaTrust conducted a thorough analysis and found several dozens of tokens that were not yet attacked through its exclusive IP Analyzer engine.

What is a reflection token

In Yield farming, liquidity mining, and staking projects in DeFi, users can lock up some assets to earn interest on their held cryptocurrency over a specific period. However, when the value of the collateral assets decreases, users also bear the losses from the asset’s decline. This drawback led to the creation of reflection tokens. Simply put, reflection tokens come with a similar staking mechanism, in theory, eliminating the need to lock tokens and providing similar staking benefits.

Specifically, reflection tokens reduce the circulating supply of tokens in the market by taxing each sale of tokens, maintaining a high coin price, avoiding a direct drop in token prices due to token sales, and distributing the revenue to all users. However, some tokens in order to reduce the circulating supply of tokens as quickly as possible, opened up the token destruction mechanism to all holders, allowing each user to destroy tokens after holding them to maintain the circulating supply of tokens in the market. As a result, every time a user destroys tokens, the total supply of tokens decreases, leading to an increase in token prices in decentralized exchanges.

Attack Analysis

In this attack, the general steps of the user’s attack process are as follows:

1. Flash loan
2. Authorize WETH to pair
3. Target token for WETH
4. Repeatedly burn your own token
5. sync
6. Target token exchanges WETH
7. Return the flash loan
8. Transfer profits

The key step is step 4. The core code is as follows:

1function balanceOf(address account) public view override returns (uint256) {
2    if (_isExcluded[account]) return _tOwned[account];
3    return tokenFromReflection(_rOwned[account]);
4}
1function balanceOf(address account) public view override returns (uint256) {
2    if (_isExcluded[account]) return _tOwned[account];
3    return tokenFromReflection(_rOwned[account]);
4}

1function _burn(address _who, uint256 _value) internal {
2    require(_value <= _rOwned[_who]);
3    _rOwned[_who] = _rOwned[_who].sub(_value);
4    _tTotal = _tTotal.sub(_value);
5    emit Transfer(_who, address(0), _value);
6}function tokenFromReflection(uint256 rAmount) public view returns(uint256) {
7    require(rAmount <= _rTotal, "Amount must be less than total reflections");
8    uint256 currentRate =  _getRate();
9    return rAmount.div(currentRate);}function _getRate() private view returns(uint256) {
10    (uint256 rSupply, uint256 tSupply) = _getCurrentSupply();
11    return rSupply.div(tSupply);
12}
13function _getCurrentSupply() private view returns(uint256, uint256) {
14    uint256 rSupply = _rTotal;
15    uint256 tSupply = _tTotal;
16    for (uint256 i = 0; i < _excluded.length; i++) {
17        if (_rOwned[_excluded[i]] > rSupply || _tOwned[_excluded[i]] > tSupply) return (_rTotal, _tTotal);
18        rSupply = rSupply.sub(_rOwned[_excluded[i]]);
19        tSupply = tSupply.sub(_tOwned[_excluded[i]]);
20    }
21    if (rSupply < _rTotal.div(_tTotal)) return (_rTotal, _tTotal);
22    return (rSupply, tSupply);
23}
1function _burn(address _who, uint256 _value) internal {
2    require(_value <= _rOwned[_who]);
3    _rOwned[_who] = _rOwned[_who].sub(_value);
4    _tTotal = _tTotal.sub(_value);
5    emit Transfer(_who, address(0), _value);
6}function tokenFromReflection(uint256 rAmount) public view returns(uint256) {
7    require(rAmount <= _rTotal, "Amount must be less than total reflections");
8    uint256 currentRate =  _getRate();
9    return rAmount.div(currentRate);}function _getRate() private view returns(uint256) {
10    (uint256 rSupply, uint256 tSupply) = _getCurrentSupply();
11    return rSupply.div(tSupply);
12}
13function _getCurrentSupply() private view returns(uint256, uint256) {
14    uint256 rSupply = _rTotal;
15    uint256 tSupply = _tTotal;
16    for (uint256 i = 0; i < _excluded.length; i++) {
17        if (_rOwned[_excluded[i]] > rSupply || _tOwned[_excluded[i]] > tSupply) return (_rTotal, _tTotal);
18        rSupply = rSupply.sub(_rOwned[_excluded[i]]);
19        tSupply = tSupply.sub(_tOwned[_excluded[i]]);
20    }
21    if (rSupply < _rTotal.div(_tTotal)) return (_rTotal, _tTotal);
22    return (rSupply, tSupply);
23}

In balanceOf, unlike the traditional erc20 token, the balance acquisition of an account may be recalculated in real time through the current totalsupply, rather than relying on the actual holdings of users, which means that balanceOf (account) depends on the value of tokenFromReflection (_rOwned [account]). Continue to analyze, and we find the order of data dependence. Here we use a mathematical formula to express:

https://miro.medium.com/v2/resize:fit:1400/0*RQxotZdhnm3FaVhP

According to this formula, we can find that if the tTotal is smaller, the calculated balanceOf (account) is smaller, and users can destroy their own tokens through the call of the burn function to make the tTotal smaller. The final result is that when calculating the amount of tokens held in the liquidity pool balanceOf (liquidityPool), the result will be smaller than expected, which will cause the price of tokens in the liquidity pool to rise, Users can hold some tokens in advance and make profits after the token price in the liquidity pool rises

Our unique finding

We found that many tokens follow this design pattern, and their characteristics are very distinct: that is, it contains the above functions simultaneously. Based on this feature, combined with MetaTrust’s unique IP Analyzer engine, we found that tokens in multiple chains have such vulnerabilities. As of noon on February 12, 2023, there are still some tokens that can be attacked. Take Ethereum as an example, the potential loss is about $11000:

https://miro.medium.com/v2/resize:fit:1400/0*mL6XrrDy4H2o00Ih

Take the token 0xe8847d2fa66d0d1f4a77221cae1e47d8d59cf7d7 as an example. Its code also contains these key functions

Its corresponding liquidity pool is:0xd3a3b04e222229ec1dd1215363b7ac5e0102eb8e

In addition, our data set also contains the potential vulnerability tokens of BNB Polygon and the other 9 EVM chains

IP Analyzer

IP Analyzer ****is a code clone detection engine that uses machine learning models to detect similarities in contracts from the chain, open source library and project sources. This engine also builds a code usage dependency graph among all available smart contracts on the chains using function-level clone detection. Using the graph, we can find all dependent sub-contracts or similar contracts for the given contract, which can discover vulnerabilities introduced by the code clone and code reuse.

Other Engine from Metatrust

Security Analyzer: Security Analyzer performs static analysis to detect vulnerabilities on the source code level using a set of comprehensive vulnerability patterns. This engine leverages data flow, control flow and money flow to perform precise security analysis. Furthermore, we have defined MetaTrust security rule standards, which contain about 150 rules to cover a wide range of smart contract vulnerabilities including logical and economical bugs.

Security Prover: Prover is a smart contract vulnerability detection tool based on source code-level symbolic execution technology. Simulating the program running process and predicting its behavior, Prover can predict the operation of smart contracts and identify possible vulnerabilities, including capital loss, privacy disclosure, etc. It helps developers identify contract boundaries and control structures, and provides comprehensive vulnerability PoC.

Open Source Analyzer: this Analyzer focuses on open-source security. It detects the relationship between the project and third-party open-source libraries, such as Openzeppelin and Pancakeswap. By monitoring vulnerabilities of open source libraries, security issues of projects can be alerted.

Our Website

https://metatrust.io/

@MetatrustLabs

The deflation token attack on the BNB chain, Metatrust found dozens of tokens on the EVM chain that were not attacked.

On February 10, 2023, some reflection mechanism tokens on BNB Chain were attacked and spread to multiple tokens. Metatrust conducted a thorough analysis and found several dozens of tokens that were not yet attacked through its exclusive IP Analyzer engine.

https://miro.medium.com/v2/resize:fit:1400/0*B_7P_FY6Ywxn0ZFV

If any EVM chain organization needs information about these tokens, please contact us (Ty@metatrust.io).