On May 7, 2024, a BNB SmartChain attack was detected on the following transaction: https://bscscan.com/tx/0x948132f219c0a1adbffbee5d9dc63bec676dd69341a6eca23790632cb9475312. The targeted project was SATURN, and the attack resulted in a loss of approximately 15 WBNB.
Attack Detailed
The attack can be divided into two stages:
Stage 1
The attacker initially used 0.15 BNB in 10 times on PancakeSwap to exchange for a total of 891,000.8910 SATURN tokens. The transaction hash is: https://bscscan.com/tx/0x948132f219c0a1adbffbee5d9dc63bec676dd69341a6eca23790632cb9475312.
Stage 2
In the second stage, the attacker utilized a flash loan of 3,300 WBNB from PancakeSwap.
Then, using PancakeSwap (WBNB-SATURN), the attacker exchanged 3,200 WBNB for 101,030,461 SATURN tokens. At this point, the exchange rate was 1 WBNB = 6,418,081 SATURN.
The SATURN tokens obtained from the exchange were sent to the address 0xc8ce1ecdfb7be4c5a661deb6c1664ab98df3cd62, which belongs to the project team. This action was taken to deplete the quantity of SATURN tokens in the PancakeSwap (WBNB-SATURN) pool. By choosing the project team's address, the attacker bypassed the daily buy/sell limit imposed on regular addresses (the limit being 50,000 SATURN). Specific addresses (those included in _excludedFees) are not subject to this limitation.
Subsequently, the attacker transferred an additional 228,832 SATURN tokens to PancakeSwap (WBNB-SATURN). Since neither the sending nor the receiving address was included in _excludedFees, and the to address was PancakeSwap (WBNB-SATURN), the following operations were performed. First, the fees were transferred to 0x6f8d958c4dba9cdd734bb1c435f23cd6aa35534a, and then autoLiquidityPairTokens function was executed.
Let's take a closer look at the autoLiquidityPairTokens function. First, a portion of the tokens were burned, followed by syncing the reserves information of PancakeSwap (WBNB-SATURN).
It is worth noting that in the transfer logic of SATURN tokens, the tokens from the PancakeSwap (WBNB-SATURN) pool are burned first, followed by a sync operation, and finally, the tokens are transferred to the PancakeSwap (WBNB-SATURN) pool. This allows the attacker to manipulate the transfer amounts and significantly reduce the SATURN reserves in the pool, thereby greatly increasing the value of SATURN tokens.
As a result, the value of SATURN tokens was inflated to 1 SATURN = 147,376,380,331,789,115 WBNB. Finally, the attacker drained the WBNB from the PancakeSwap (WBNB-SATURN), repaid the flash loan, and made a profit of 15 WBNB.
Conclusion
The vulnerability in this case occurred due to the synchronization (sync) operation being performed on the PancakeSwap (WBNB-SATURN) pool before processing the incoming token transfers. This led to distorted reserves in the PancakeSwap (WBNB-SATURN) pool and a significant increase in the value of SATURN tokens. It is recommended that project teams thoroughly validate the design of their economic models and code execution logic, and consider multiple audits from different auditing companies before deploying contracts.
