HFLH Hack Analysis

lunaray
3 min readAug 28, 2024

--

Background

Recently, we monitored an on-chain attack on the project HFLH on BnbSmartChain. https://bscscan.com/tx/0xb61ae75835854e577657c25fe1891ff1c9ffb1b6b61ec4064396a08e222f679e

The attacked project is HFLH. The attacker made a profit of about 9.099 BNB, which is about 5,300 USD.

Attack and Event Analysis

First, the attacker borrowed 2002 WBNB using AAVE flashloan

Next, use the attack contract to register through the contract Regist (0x4e5A3d30d1caEaB5CADaDB12ca84f0916C473D34).

Then, use the Borrow contract to borrow. The borrowing code of the Borrow contract is as follows:

The amount of loan is calculated as follows:

We can see that the code for getting the price of HFLH is as follows:

The price of HFLH is calculated by calculating the balance ratio of WBNB and HFLH in pancakeSwap. And price=HFLHamount/WBNBamount, it can be seen that the more HFLH there are, the higher the price.

The attacker borrowed HFLH by transferring 1999 WBNB. The above formula can be used to calculate the amount of HFLH borrowed:

As shown below:

The attacker transferred the borrowed HFLH back to the pancakeSwap Pair, and then borrowed 2.2 WBNB to borrow HFLH. Because the attacker transferred the borrowed HFLH back to the pancakeSwap Pair, it was equivalent to raising the price, so the 2.2 WBNB transferred this time could borrow more HFLH.

Then, the attacker used the skim function of pancakeSwap to get back the transferred HFLH, and called withdrawPrincipal to return and get back the 1999 WBNB deposited during the first borrow.

Finally, the attacker used the HFLH borrowed for the second time to exchange for 12.3 WBNB using pancakeSwap. The final profit was 12.3–2.2–1.001 (flashloan interest) = 9.099 WBNB, about 5300 USD.

Conclusion

The main cause of this vulnerability is that the HFLH contract uses a single source, PancakeSwapV2, to calculate the price of HFLH Token, which causes the price to be manipulated by the attacker, and ultimately arbitrage using the price difference. It is recommended that the project party should conduct multiple verifications when designing the economic model, price calculation mechanism, and code operation logic, and try to select multiple audit companies for cross-audits before the contract goes online.

💬 Website 🐦Twitter

--

--

lunaray

Lunaray takes a leading position in smart contract auditing and consulting service for blockchain security.