GDS Project Flash Loan Exploit Analysis | QuillAudits
On January 3, 2023, the GDS project on Binance Smart Chain was hacked. The attacker used flash loans to attack the GDS token’s LP mining mechanism and gain profit. The hackers stole approximately $187K, and the price of the GDS token dropped from $0.5 to $0.1.
About GDS Chain and GDS Token:
GDS Chain is a public blockchain for business applications that studies the use of blockchain technology to improve numerous value transmission and contribution distribution techniques.
GDS token is a BEP20 token deployed on Binance Smart Chain. BEP-20 is a token standard on BNB Smart Chain (BSC) that extends ERC-20.
Vulnerability Analysis & Impact:
The Root Cause:
When any user adds liquidity to the GDS-USDT pair, the GDS contracts reward the liquidity provider with GDS tokens at each epoch. The root cause lies in the
_settlementLpMining function, where the value
_lpRewardAmount is calculated only based on the weight of the LP token held by the user. Because time was not taken into account, the attacker was able to redeem more rewards than authorized, causing the liquidity to be drained.
Closing LP mining: 0x06d23624bd1edeb63665f41c4d3dd098d4c913a715c7b6fd9894575dcb0f43dc
The Attacks Steps:
1. The attacker begins the attack by borrowing $2.38 million BSC (USD) via a flash loan. Then he swapped 600,000 BSC-USD for 3.4 million GDS tokens from Pancake Swap.
2. The attacker then transferred the remaining 1.7 million BSC-USD and 3.4 million GDS (swapped earlier) to the PancakeSwap liquidity pool to obtain a 2.2 million LP token. Due to the flaw in calculating _lpRewardAmount, the attackers could redeem more rewards from the GDS token contract and transfer the LP tokens to another contract.
3. The attacker created many attack contracts and transferred the previously obtained LP token to the deployed contracts. Then he called the withdraw function from each contract to receive the higher rewards until the liquidity was gone and the flash loan amount was repaid.
4. As a result, the attacker made $39K and 10.3 million GDS tokens. The attacker then swapped all 10.3 million GDS tokens for around $148,416—making a total profit of $187,000. See here.
After the Exploit :
There hasn’t been an official announcement from the project. The project team terminated LpMining by calling the
closeLpMining function in the GDS contract. See here.
The exploit caused the token’s price to drop from $0.05 to $0.01. The current price as of writing this blog is $ 0.019.
The flow of funds:
The attacker's wallet contains $8 in BNB Chain at the time of this writing.
How could they have prevented the Exploit?
Some critical checks, such as time, should also be considered when rewarding users, and they should rely on something other than the available balance of LpTokens.
Also, rather than depending on a single DEX platform, projects should use decentralized pricing oracles such as Chainlink to obtain price feeds.
Web3 security- Need of the hour
Why QuillAudits For Web3 Security?
QuillAudits is well-equipped with tools and expertise to provide cybersecurity solutions saving the loss of millions in funds.