Analysis2023-06-12

Unraveling the $UN Attack: A Flash Loan Exploits Flaw in Token Contract

2 Minutes Read

Daniel Tan

Daniel Tan

Security Operation / Audit

Summary

$UN on BSC was attacked by the flash loan with a loss of $26,000

On Jun-06-2023, an unfortunate event unfolded as the decentralized finance (DeFi) project, $UN, on the Binance Smart Chain (BSC), fell victim to a targeted attack involving a flash loan. It is a typical skim attack and resulted in a significant loss of $26,000 and showcased a classic skim attack strategy, leaving the UN-LP pair compromised and the price of $UN soaring. Ultimately, the attacker exploited the situation to maximize their profit before swiftly dumping the $UN token. Join us as we unravel the details and explore the implications of this alarming incident.

Attacker

https://bscscan.com/address/0xf84efa8a9f7e68855cf17eaac9c2f97a9d131366

Transaction

https://bscscan.com/tx/0xff5515268d53df41d407036f547b206e288b226989da496fda367bfeb31c5b8b

Attacking Contract

https://bscscan.com/address/0x98e241bd3be918e0d927af81b430be00d86b04f9

Attacked Contract

https://bscscan.com/address/0x5f739a4ade4341d4aee049e679095bccbe904ee1

Asset Loss

$26,000

Attacking Steps

  1. The attacker gets 29,100,000,000,000,001,048,576 BSC-USD by the flash loan from DPPOracle;
  2. Swap 29,100,000,000,000,001,048,576 BSC-USD for 91,391,982,773,176,450,879,376 $UN;
  3. Transfer 84,994,543,979,054,099,317,825 to UN-LP pair;
  4. Call the skim function of the UN-LP pair to send the UN to the attacker. At this point 2,307,601,869,031,318,796,481 $UN are transferred out from the UN-LP pair to the UNStake contract, which results in the price of $UN increased;
  5. Repeat step 3 and step 4 to hugely increase the $UN price;
  6. Finally, swap 55,441,019,173,629,144,550,663 $UN for 55,658,707,032,043,243,002,112 BSC-USD and get the profit of 26,558,707,032,043,241,953,536 BSC-USD

Root Cause

The attack on $UN on BSC can be attributed to an inherent flaw within the $UN token contract. This flaw allowed the attacker to exploit a vulnerability that enabled them to transfer $UN tokens from the UN-LP pair, leading to a significant increase in the price of $UN. This flaw in the token contract essentially provided a gateway for the attacker to manipulate the token's value and execute their malicious intentions.

Key Code

5WL9LZrrieBtQ8XeW2kJ9vU9X54mYgHsCh0qgWsW.avif

PoC

Check on Github 8aXwfFael8Ndd4iYHblSs0KNXte9P0jV5HcYTEYi.webp

The attack on $UN on BSC serves as a stark reminder of the evolving challenges faced by the blockchain industry and the importance of robust security measures. As the crypto ecosystem continues to grow and innovate, it is crucial for developers, investors, and users to remain vigilant and proactive in safeguarding their assets.

While incidents like this can be disheartening, they also provide valuable lessons for the community to learn from, prompting further improvements in security protocols and risk mitigation strategies. Through continued efforts in research, development, and education, the blockchain industry can strive towards creating a more secure and resilient ecosystem that empowers individuals and organizations to leverage the transformative potential of blockchain technology.

Keep tuned, stay secure.

About Us

At MetaTrust, our primary focus is on creating a secure infrastructure that caters to the needs of developers in the WEB 3.0 space. We offer an array of AI-Driven automation tools and security services to assist Web3 developers and project stakeholders in achieving a secure development environment.

Website || Twitter || MetaScan for FREE

Share this article