GDS Project Flash Loan Exploit Analysis | QuillAudits

Summary:

On January 3, 2023, the GDS project on Binance Smart Chain was hacked. The attacker used flash loans to attack the GDS token’s LP mining mechanism and gain profit. The hackers stole approximately $187K, and the price of the GDS token dropped from $0.5 to $0.1.

About GDS Chain and GDS Token:

GDS Chain is a public blockchain for business applications that studies the use of blockchain technology to improve numerous value transmission and contribution distribution techniques.

GDS token is a BEP20 token deployed on Binance Smart Chain. BEP-20 is a token standard on BNB Smart Chain (BSC) that extends ERC-20.

Vulnerability Analysis & Impact:

The Root Cause:

When any user adds liquidity to the GDS-USDT pair, the GDS contracts reward the liquidity provider with GDS tokens at each epoch. The root cause lies in the _settlementLpMining function, where the value _lpRewardAmount is calculated only based on the weight of the LP token held by the user. Because time was not taken into account, the attacker was able to redeem more rewards than authorized, causing the liquidity to be drained.

On-Chain Details:

GDS Contract: 0xC1Bb12560468fb255A8e8431BDF883CC4cB3d278
Attacker: 0xcf2362b46669e04b16d0780cf9b6e61c82de36a7

Exploit Txn: 0x2bb704e0d158594f7373ec6e53dc9da6c6639f269207da8dab883fc3b5bf6694

Closing LP mining: 0x06d23624bd1edeb63665f41c4d3dd098d4c913a715c7b6fd9894575dcb0f43dc

The Attacks Steps:

1. The attacker begins the attack by borrowing $2.38 million BSC (USD) via a flash loan. Then he swapped 600,000 BSC-USD for 3.4 million GDS tokens from Pancake Swap.

2. The attacker then transferred the remaining 1.7 million BSC-USD and 3.4 million GDS (swapped earlier) to the PancakeSwap liquidity pool to obtain a 2.2 million LP token. Due to the flaw in calculating _lpRewardAmount, the attackers could redeem more rewards from the GDS token contract and transfer the LP tokens to another contract.

3. The attacker created many attack contracts and transferred the previously obtained LP token to the deployed contracts. Then he called the withdraw function from each contract to receive the higher rewards until the liquidity was gone and the flash loan amount was repaid.

4. As a result, the attacker made $39K and 10.3 million GDS tokens. The attacker then swapped all 10.3 million GDS tokens for around $148,416—making a total profit of $187,000. See here.

After the Exploit :

There hasn’t been an official announcement from the project. The project team terminated LpMining by calling the closeLpMining function in the GDS contract. See here.

Price Impact:

The exploit caused the token’s price to drop from $0.05 to $0.01. The current price as of writing this blog is $ 0.019.

The flow of funds:

The attacker's wallet contains $8 in BNB Chain at the time of this writing.

How could they have prevented the Exploit?

Some critical checks, such as time, should also be considered when rewarding users, and they should rely on something other than the available balance of LpTokens.

Also, rather than depending on a single DEX platform, projects should use decentralized pricing oracles such as Chainlink to obtain price feeds.

Web3 security- Need of the hour

Why QuillAudits For Web3 Security?
QuillAudits is well-equipped with tools and expertise to provide cybersecurity solutions saving the loss of millions in funds.

Want more Such Security Blogs & Reports?

Connect with QuillAudits on :
Linkedin | Twitter | Website | Newsletter | Discord | Telegram

Partner with QuillAudits :

--

--