On May 8, 2024, an attack on the BNB Smart Chain project GPU was detected, with the attack hash located at: https://bscscan.com/tx/0x2c0ada695a507d7a03f4f308f545c7db4847b2b2c82de79e702d655d8c95dadb. The project targeted was GPU, and the attack resulted in a loss of $32,400 USD.
Detailed Analysis of the Attack
The attacker first utilized a flash loan of 226,007 BUSD from DODO.
Subsequently, the attacker exchanged these BUSD for GPU tokens on PancakeSwap, obtaining a total of 26,992 GPU tokens.
After that, the attacker continued to transfer tokens to themselves repeatedly.
The vulnerability lies in the transfer function of the GPU token. As shown in the image below:
We can see that the transfer function of the GPU token ultimately calls the _transfer function of its parent contract, which is the ERC20 contract's _transfer function. As depicted in the following image:
From the above code, we can observe that when performing a transfer, the balances of the from and to addresses are saved to variables senderAmount and recipientAmount, respectively. Subsequently, the values of senderAmount and recipientAmount after the transfer are calculated and updated in the balances. However, when the from and to addresses are the same, updating the from address before the to address essentially adds an amount of tokens to the to address out of thin air. Therefore, by continuously transferring tokens to themselves, the attacker caused their GPU tokens to increase arbitrarily.
Finally, the attacker redeemed the GPU tokens they had gained through the attack for BUSD on PancakeSwap, making a profit of $32,400 USD.
Conclusion
The cause of this vulnerability is a logic flaw in the transfer function of the GPU token, coupled with the lack of validation of user input. The attacker was able to increase their GPU tokens fraudulently by transferring tokens to themselves. It is recommended that project teams conduct thorough validation of their economic models and code logic, and ideally, have multiple audit firms perform a cross-audit before deploying contracts.
