Backgound
On June 11, 2024, an attack was detected on the Ethereum network targeting the JokInTheBox
project, resulting in a total loss of approximately 34,292 USD.
Detailed Analysis of the Attack
First, the attacker initiated a transaction (https://etherscan.io/tx/0x3b214f07205be5243543c77e7087e1a4974e3ffa0e28daa9e7fda5ed5d3aeb09) using 0.2 ETH to exchange for 366,060,210 JOK
tokens on Uniswap V2. These tokens were then transferred to the attack contract at address 0x9d3425d45df30183fda059c586543dcdeb5993e6 and subsequently staked.
Next, the attacker commenced the actual attack:
The root cause of the issue lies in the unstake
function of the JokInTheBox contract:
As can be seen, the unstake
function does not verify whether stakes[msg.sender][stakeIndex].unstaked
is true
, meaning it does not check if the staked asset has already been unstaked and withdrawn. This flaw allows the attacker to repeatedly unstake, thus withdrawing all users' staked assets.
Summary
The primary cause of this vulnerability is the failure of the JokInTheBox contract to verify whether a stake has already been unstaked during the unstake process, enabling the attacker to repeatedly unstake and withdraw all users’ staked assets. It is recommended that project teams thoroughly validate economic models and code logic during design, and utilize multiple auditing firms for cross-audits before contract deployment.