RES Token $290K Flash Loan Exploit | QuillAudits

Summary:

On the 6th of October, 2022, $RES Token (BEP20 Token at BNB Chain) suffered a flash loan attack. The Hackers used flash loans to manipulate the pool price of the token and gain profit. Around $290,000 was stolen by the hackers.

Introduction to $RES Token:

$RES is a cryptocurrency, deployed on Binance Smart Chain(BSC BEP-20). Currently, the $RES token is being traded at $0.0060 at Pancakeswap. Further Details can be found here.

Vulnerability Analysis & Impact:

Before getting deep into it, let's first understand what Flash Loans Attacks are:

FlashLoans Attack:

A flash loan attack is an abuse of the smart contract security of a particular platform in which an attacker usually borrows many funds that don’t require collateral. They then manipulate the price of a crypto asset on one exchange and quickly resell it on another one.

Check out this blog by quillhash for further details.

Vulnerability Overview:

The main vulnerability was present in the thisAtoB function of the contract. It was used to swap $RES tokens in the contract to $ALL tokens through the RES-BSCUSD-ALL path. The hacker used flash loans to manipulate the pool of RES Token, swapped the tokens back, and made a profit of around $290K from the attack.

Addresses and Transaction Details:

Attacker EOA: 0x986b2e2a1cf303536138d8aC762447500Fd781c6
Attacking Contract: 0xff333de02129af88aae101ab777d3f5d709fec6f
Victim(RES) Contract: 0xeccd8b08ac3b587b7175d40fb9c60a20990f8d21

Attack Transactions:

0xe59fa48212c4ee716c03e648e04f0ca390f4a4fc921a890fded0e01afa4ba96d

0xef19a4dfd69874d5efda3e38b5a19cae4e0b0bdc95769760bd85ede4d15609ac

The Attack:

1. The attacker funded 0.5 BNB from EOA (0x92d47) to his wallet(0x986b2) and then created the attacking contract.

2. The thisAToB function is an external function that calls _thisAToB function which is used to swap $RES tokens in the contract to ALL tokens through the RES-BSCUSD-ALL path.

3. The attacker borrowed flash loans and did multiple swaps and gained awards on $ALL tokens. Then he burned $ALL-SWAP token by calling thisAToB() function.

4. As a result of burning tokens, the pair reserve ratio increased. Then the attacker swapped $ALL tokens to USDT and gained a profit of around $209,203 from the attack.

5. The attacker repeated the same steps as above and this time he gained an additional profit of $81,268. Adding both, the attacker made a total of $290K from this attack.

After the Exploit :

The attack directly impacted the price of the token. The price of $RES Token fell by 97%. It fell from $0.23 to $0.0060. See here for more info.

Status of Funds:

The attacker transferred all the funds to a contract (0x5f330) after swapping to different tokens like BUSD, BNB, etc. See here for more details.

Prevention for Flash Loan Attacks:

Recently there has been a massive increase in flash loan attacks in the DeFi space. Their occurrences have given birth to two popular solutions. Check out here for a detailed explanation.

1. Decentralized Pricing Oracles
2. Implementation of DeFi Security Platforms

Further Reference / Credit:

https://apespace.io/bsc/0x05ba2c512788bd95cd6d61d3109c53a14b01c82a
https://twitter.com/BlockSecTeam/status/1578041521273962496

Similar projects secured by QuillAudits:

• CrickDAO
• Serverus

Web3 security- Need of the hour

Why QuillAudits For Web3 Security?

QuillAudits is well-equipped with tools and expertise to provide cybersecurity solutions saving the loss of millions in funds.

Want more Such Security Blogs & Reports?

Connect with QuillAudits on :

Linkedin | Twitter | Website | Newsletter | Discord | Telegram