RES Token $290K Flash Loan Exploit | QuillAudits

Summary:

On the 6th of October, 2022, $RES Token (BEP20 Token at BNB Chain) suffered a flash loan attack. The Hackers used flash loans to manipulate the pool price of the token and gain profit. Around $290,000 was stolen by the hackers.

Introduction to $RES Token:

$RES is a cryptocurrency, deployed on Binance Smart Chain(BSC BEP-20). Currently, the $RES token is being traded at $0.0060 at Pancakeswap. Further Details can be found here.

Vulnerability Analysis & Impact:

Before getting deep into it, let's first understand what Flash Loans Attacks are:

A flash loan attack is an abuse of the smart contract security of a particular platform in which an attacker usually borrows many funds that don’t require collateral. They then manipulate the price of a crypto asset on one exchange and quickly resell it on another one.

Check out this blog by quillhash for further details.

The main vulnerability was present in the thisAtoB function of the contract. It was used to swap $RES tokens in the contract to $ALL tokens through the RES-BSCUSD-ALL path. The hacker used flash loans to manipulate the pool of RES Token, swapped the tokens back, and made a profit of around $290K from the attack.

Attacker EOA: 0x986b2e2a1cf303536138d8aC762447500Fd781c6
Attacking Contract: 0xff333de02129af88aae101ab777d3f5d709fec6f
Victim(RES) Contract: 0xeccd8b08ac3b587b7175d40fb9c60a20990f8d21

Attack Transactions:

0xe59fa48212c4ee716c03e648e04f0ca390f4a4fc921a890fded0e01afa4ba96d

0xef19a4dfd69874d5efda3e38b5a19cae4e0b0bdc95769760bd85ede4d15609ac

  1. The attacker funded 0.5 BNB from EOA (0x92d47) to his wallet(0x986b2) and then created the attacking contract.

2. The thisAToB function is an external function that calls _thisAToB function which is used to swap $RES tokens in the contract to ALL tokens through the RES-BSCUSD-ALL path.

3. The attacker borrowed flash loans and did multiple swaps and gained awards on $ALL tokens. Then he burned $ALL-SWAP token by calling thisAToB() function.

4. As a result of burning tokens, the pair reserve ratio increased. Then the attacker swapped $ALL tokens to USDT and gained a profit of around $209,203 from the attack.

5. The attacker repeated the same steps as above and this time he gained an additional profit of $81,268. Adding both, the attacker made a total of $290K from this attack.

After the Exploit :

The attack directly impacted the price of the token. The price of $RES Token fell by 97%. It fell from $0.23 to $0.0060. See here for more info.

Status of Funds:

The attacker transferred all the funds to a contract (0x5f330) after swapping to different tokens like BUSD, BNB, etc. See here for more details.

Prevention for Flash Loan Attacks:

Recently there has been a massive increase in flash loan attacks in the DeFi space. Their occurrences have given birth to two popular solutions. Check out here for a detailed explanation.

1. Decentralized Pricing Oracles
2. Implementation of DeFi Security Platforms

Further Reference / Credit:

https://apespace.io/bsc/0x05ba2c512788bd95cd6d61d3109c53a14b01c82a
https://twitter.com/BlockSecTeam/status/1578041521273962496

Similar projects secured by QuillAudits:

Web3 security- Need of the hour

Why QuillAudits For Web3 Security?

QuillAudits is well-equipped with tools and expertise to provide cybersecurity solutions saving the loss of millions in funds.

Want more Such Security Blogs & Reports?

Connect with QuillAudits on :

Linkedin | Twitter | Website | Newsletter | Discord | Telegram

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store