JokInTheBox Hack Analysis

lunaray
2 min readJun 26, 2024

--

Backgound

On June 11, 2024, an attack was detected on the Ethereum network targeting the JokInTheBox project, resulting in a total loss of approximately 34,292 USD.

Detailed Analysis of the Attack

First, the attacker initiated a transaction (https://etherscan.io/tx/0x3b214f07205be5243543c77e7087e1a4974e3ffa0e28daa9e7fda5ed5d3aeb09) using 0.2 ETH to exchange for 366,060,210 JOK tokens on Uniswap V2. These tokens were then transferred to the attack contract at address 0x9d3425d45df30183fda059c586543dcdeb5993e6 and subsequently staked.

Next, the attacker commenced the actual attack:

The root cause of the issue lies in the unstake function of the JokInTheBox contract:

As can be seen, the unstake function does not verify whether stakes[msg.sender][stakeIndex].unstaked is true, meaning it does not check if the staked asset has already been unstaked and withdrawn. This flaw allows the attacker to repeatedly unstake, thus withdrawing all users' staked assets.

Summary

The primary cause of this vulnerability is the failure of the JokInTheBox contract to verify whether a stake has already been unstaked during the unstake process, enabling the attacker to repeatedly unstake and withdraw all users’ staked assets. It is recommended that project teams thoroughly validate economic models and code logic during design, and utilize multiple auditing firms for cross-audits before contract deployment.

--

--

lunaray

Lunaray takes a leading position in smart contract auditing and consulting service for blockchain security.