0x01 Event Background
On April 1, the BSC chain Allbridge cross-chain bridge was hacked, the attacker profited XX, the attacker address is 0xc578d755cd56255d3ff6e92e1b6371ba945e3984, the stolen funds were transferred to Tornado.cash mixed coin platform
0x02 Contract Vulnerability
The exchange operation function swapToVUsd in the contract calculates the exchange result as the difference between the current recorded BUSD balance in the contract and the amount converted to BUSD after calculating the transferred token, so the attacker achieves control over the token price in the pool by accessing a large amount of funds and performing a large number of token exchanges.
0x03 Attack steps
- The attacker lent 7,500,000 BUSD through a flashloan
2.convert 2,003,300 BUSD to 2,000,296 USDT, the balance of BUSD in the contract will be 11,405,966 and the balance of USDT will be 8,296,249
3.Call the deposit function in the contract and deposit 5,000,000 BUSD into the contract
4.At this point, the attacker’s address has 496,700 BUSD left, and the attacker converts all the remaining BUSD to USDT, for a total of 495,488
5. deposit the 2,000,296 USDT previously exchanged into the contract
6.Call the swap function in the Allbridge Core: Bridge contract and use 495,784 USDT to exchange 490,849 BUSD
7. Withdraw the 4,830,999 BUSD previously deposited
8. Call the swap function in the Allbridge Core: Bridge contract and use 40,000 BUSD to exchange 789,632 USDT
9.withdraw the deposited funds and convert USDT to BUSD
10. Returning flash loans
The attackers made a total profit of 549,874 BUSD in this attack
Summary and Suggestions
This attack is due to the attacker’s ability to modify the ratio of tokens in the trading pool by accessing funds in large amounts and making exchanges, thus enabling the exchange of a large amount of USDT for a smaller amount of BUSD for profit.
- It is recommended to add a maximum exchange ratio judgment to the function that performs token exchange in the contract to avoid large losses from performing exchange when the difference between the number of tokens in the pool is large.
- It is recommended that the project owner conducts multiple audits before going live to avoid missing audit steps