Background
We have detected a series of on-chain attacks targeting the SATX Token.
The hacker initiated two attacks:
First Attack
- Transaction: https://bscscan.com/tx/0x3c6eb46bc7203c4996ed0886f25bec3d806000506dea2f2778df374380014105
- This attack failed because the hacker did not transfer BNB when calling the attack contract, resulting in the failure of the transaction where BNB was to be convert to WBNB.
Second Attack
- The second attack was successful. The attack transaction is https://bscscan.com/tx/0x7e02ee7242a672fb84458d12198fae4122d7029ba64f3673e7800d811a8de93f
The initial funds of the attacker were sourced from TornadoCash.
Interestingly, the function name of the attacker’s attack contract is “f***you.”
Attack Details
The attacker first exchanged 0.001 WBNB for 13.397690168956297175 SATX using PancakeSwap. Subsequently, they exchanged 60 WBNB using the PancakeSwap Pair WBNB-CAKE.
In a callback function, they further exchanged 0.0001 WBNB for 350018.558642186154111639 SATX (which was then converted to 52 WBNB within the callback function).
They then transferred the acquired 350018.558642186154111639 SATX to the PancakeSwap Pair WBNB-SATX, causing an imbalance in funds. The attacker exploited the vulnerability by balancing the funds through calls to skim and sync.
Upon inspecting the SATX Token contract code, it was observed that in the transfer function, a significant portion of SATX was mistakenly sent out, resulting in a sudden decrease in SATX in the PancakeSwap Pair WBNB-SATX pool. This led to a surge in SATX value due to the AMM algorithm used by PancakeSwapV2.
Firstly, the amount of SATX is transferred to the _tokenOwner.
Following that, 2.99% of the amount of SATX is transferred to the SATX Token contract, while 97.01% of the amount is divided into 10%, 9%, and 8.3% portions and transferred to three externally owned accounts (EOAs).
Before calling skim, 1 WBNB was equivalent to 13844 SATX. After calling skim, 1 WBNB was equivalent to 33 SATX, causing the value of SATX to skyrocket by over 600 times.
Subsequently, the attacker exchanged the SATX for WBNB through a ‘swap’ transaction. Through this attack, the attacker profited approximately 50 BNB.
