On the 14th of April, the BeatGen AI on BNB Chain was attacked. The attack was made possible by a smart contract vulnerability. And around $14K was stolen by the hackers from the exploit.
About BeatGen AI:
BeatGen offers a music library, a creation tool, a community forum, and a marketplace for buying/selling music products. In addition, users can earn tokens by staking their NFTs, which opens up new possibilities for monetization and rewards.
To learn more about the project, check out the official documentation.
Vulnerability Analysis and Impact:
Attack Transaction: 0xb22e2d877f17fa58a1d898a4952e2f18d1c14c7fa21ffcfc5ae93adb7ee6d9b4
The Root Cause:
The root cause of the issue lies within the
convertUsdBalanceDecimalToTokenDecimal() function in oracle.sol. There was a possibility to increase the returned value of
amountTokenDecimal by reducing the
balanceStableToken. In this case, the denominator variable
balanceStableToken was reduced by a flash loan, which caused an unintentional increase in
- The attacker initially purchased HREANFT for 210 USDT and then staked it for a period of 24 months at the contract in this transaction.
- The attacker borrowed 55499.7 USDT and swapped it for around 1 million BGN tokens. However, while claiming the staked NFT (which was staked in an earlier transaction), a mistake was made in the calculation of the
amountTokenDecimal. Due to the flash loan, the
balanceStableTokenvariable was reduced, which led to an erroneous increase in the
- Finally, the attacker swapped 1,008,334 BGN tokens for 14,293.9 USDT tokens in his contract and transferred them to his wallet.
The flow of funds:
The attacker transferred 40 BNB (around $13,000 at the time of the attack) through the tornado cash.
As of writing this blog, the attacker holds around $1150 in BNB Chain. See here.
After the exploit
There was no official announcement from the project regarding the hack.
14-4-2023: The attacker exploited the BeatGen.
24-4-2023: The attacker deposited 40 BNB to Tornado Cash.
How could they have prevented the exploit?
Projects should have a systematic approach to checking for edge cases where things can go wrong and damage the protocol. This can involve implementing a series of checks and balances to ensure that the contract functions as intended and that any deviations from expected behavior are promptly detected and addressed.
Overall, the key to preventing exploits in smart contracts is to prioritize security throughout the development process. By conducting thorough security audits, testing and reviewing vulnerable functions, and implementing a systematic approach to checking for edge cases, developers can help ensure that their contracts are secure and resilient against attacks.
Similar projects secured by QuillAudits:
Web3 security- Need of the hour
Why QuillAudits for Web3 Security?
QuillAudits is well-equipped with tools and expertise to provide cybersecurity solutions, saving the loss of millions in funds.