Decoding BeatGenAI (BGN) Flash Loan Exploit | QuillAudits

--

Summary:

On the 14th of April, the BeatGen AI on BNB Chain was attacked. The attack was made possible by a smart contract vulnerability. And around $14K was stolen by the hackers from the exploit.

About BeatGen AI:

BeatGen offers a music library, a creation tool, a community forum, and a marketplace for buying/selling music products. In addition, users can earn tokens by staking their NFTs, which opens up new possibilities for monetization and rewards.

To learn more about the project, check out the official documentation.

Vulnerability Analysis and Impact:

On-Chain Details:

Attacker Address: 0x84fd453f80377ea49a40087290688d01af81fa1b
Attacker Contract: 0x89ea5c8138345d4d0cba30d5ca06b4ddfffd3e3c

Victim Contract: 0xdee162456705da4e8184ca5ea75b0c107fa21a0d
Vulnerable Oracle: 0x414def3809199fdccd7aa3fd805e70db63b17679

NFT Stake Txn: 0xd0f3c8e703ce81fbe677da0b6d37c397361d7789b090327d2e4ca32916dcb639

Attack Transaction: 0xb22e2d877f17fa58a1d898a4952e2f18d1c14c7fa21ffcfc5ae93adb7ee6d9b4

The Root Cause:

The root cause of the issue lies within the convertUsdBalanceDecimalToTokenDecimal() function in oracle.sol. There was a possibility to increase the returned value of amountTokenDecimal by reducing the balanceStableToken. In this case, the denominator variable balanceStableToken was reduced by a flash loan, which caused an unintentional increase in amountTokenDecimal.

Attack Steps:

  • The attacker initially purchased HREANFT for 210 USDT and then staked it for a period of 24 months at the contract in this transaction.
  • The attacker borrowed 55499.7 USDT and swapped it for around 1 million BGN tokens. However, while claiming the staked NFT (which was staked in an earlier transaction), a mistake was made in the calculation of the amountTokenDecimal. Due to the flash loan, the balanceStableToken variable was reduced, which led to an erroneous increase in the amountTokenDecimal.
  • Finally, the attacker swapped 1,008,334 BGN tokens for 14,293.9 USDT tokens in his contract and transferred them to his wallet.

The flow of funds:

The attacker transferred 40 BNB (around $13,000 at the time of the attack) through the tornado cash.

Attacker’s Wallets:

As of writing this blog, the attacker holds around $1150 in BNB Chain. See here.

After the exploit

There was no official announcement from the project regarding the hack.

Incident Timelines

14-4-2023: The attacker exploited the BeatGen.

24-4-2023: The attacker deposited 40 BNB to Tornado Cash.

How could they have prevented the exploit?

Projects should have a systematic approach to checking for edge cases where things can go wrong and damage the protocol. This can involve implementing a series of checks and balances to ensure that the contract functions as intended and that any deviations from expected behavior are promptly detected and addressed.

Overall, the key to preventing exploits in smart contracts is to prioritize security throughout the development process. By conducting thorough security audits, testing and reviewing vulnerable functions, and implementing a systematic approach to checking for edge cases, developers can help ensure that their contracts are secure and resilient against attacks.

Similar projects secured by QuillAudits:

Web3 security- Need of the hour

Why QuillAudits for Web3 Security?
QuillAudits is well-equipped with tools and expertise to provide cybersecurity solutions, saving the loss of millions in funds.

Want more such security blogs and reports?

Connect with QuillAudits on:
Linkedin | Twitter | Website | Newsletter | Discord | Telegram

--

--

QuillAudits - Web3 Security 🛡️

Smart Contract Auditing Experts , Making web3 a safer place . audits@quillhash.com