Cointime

Cointime

Download App
iOS & Android

SharkTeam: Analysis of the Midas Capital Attack Incident

On June 18, 2023, Beijing time, Midas Capital was targeted in an attack, and the attackers have profited approximately $600,000.

SharkTeam conducted an immediate technical analysis of this incident and summarized security measures. We hope that future projects can learn from this and strengthen the security defenses in the blockchain industry.

1. Incident analysis

Attacker address: 0x4b92cc3452ef1e37528470495b86d3f976470734

Attack contract: 0xc40119c7269a5fa813d878bf83d14e3462fc8fde

Attacked contract: 0xF8527Dc5611B589CbB365aCACaac0d1DC70b25cB

Attack transactions: 0x1ebc03f0f2257c275f4990b4130e6c3e451125aa98ee8bbde8aba5dc0320c659

Attack Process:

(1) The attacker (0x4b92cc34) invokes the function 0x117741f7 of the attack contract (0xc40119c7), and first calls the mint function of the targeted contract (0xF8527Dc5) to convert 518,614,966,827,953,435,094 sAMM-HAY/BUSD tokens into 2 fsAMM-HAY-BUSD tokens, which are the collateral tokens.

Select an Image

(2) Subsequently, the attacker calls the redeemUnderlying function of the targeted contract (0xF8527Dc5) to extract 518,614,966,827,953,435,091 sAMM tokens. However, instead of extracting all of them, they leave 3 tokens behind. It's important to note that at this point, only 1 fsAMM token has been transferred out of the attack contract.

Select an Image

(3) Then, the attacker calls the redeemUnderlying function of the targeted contract (0xF8527Dc5) again, extracting an additional 518,096,869,957,995,439,653 sAMM tokens. Since there is still 1 fsAMM token remaining in the attack contract (0xc40119c7) account, the extraction is successful.

Select an Image

(4) The above operations are repeated in a loop, and as the arbitrage process progresses, the quantity of minted tokens doubles, and the number of calls to the redeemUnderlying function also doubles.

Select an Image

(5) After multiple rounds of attack transactions, the obtained sAMM tokens are ultimately exchanged for profits by exiting with BUSD, HAY, ANKR, WBNB, ankrBNB, and other assets.

Select an Image

2. Vulnerability Analysis

Since the logic contract of the targeted contract (0xF8527Dc5) is currently not open-source, we can only rely on traces and previous logic contracts to find clues. We found that the code forked Compound's code and shares similarities with Hundred Finance, introducing a third-party math library.

Select an Image

In the divUInt function, the division operation a/b is used, which is fine in terms of calculation. However, due to Solidity's lack of support for floating-point arithmetic, the result is rounded down. The attacker (0x4b92cc34) strictly controls the input quantity every time they call the redeemUnderlying function. This leads to a situation where the calculated result becomes 1.99999999999... but is rounded down to 1 by default.

In the third step, the attack contract (0xc40119c7) retrieves slightly fewer sAMM tokens. As a result, the calculated result becomes 1. Consequently, each time the attacker (0x4b92cc34) stakes and extracts the principal, it doubles.

3. Security Recommendations

The root cause of this incident was the integration of a math library in the targeted contract (0xF8527Dc5), where the redeemUnderlying function rounds down the quantity of fsAMM tokens that the attacker (0x4b92cc34) needs to transfer. This resulted in the attacker (0x4b92cc34) halving the cost they would otherwise have to pay and enabling them to repeatedly exploit the arbitrage opportunity.

To prevent similar attacks, it is essential to follow the following considerations during the development process:

(1) Solidity does not support floating-point arithmetic. When implementing integer operations, it is recommended to perform multiplication before division or use appropriate precision mechanisms.

(2) Before deploying a project, seek technical assistance from professional third-party audit teams to conduct a thorough security review.

About us

SharkTeam’s vision is to comprehensively protect the security of the Web3 world. The team is composed of experienced security professionals and senior researchers from all over the world. They are proficient in the underlying theory of blockchain and smart contracts, and provide services including smart contract auditing, on-chain analysis, and emergency response. It has established long-term cooperative relationships with key players in various fields of the blockchain ecosystem, such as Polkadot, Moonbeam, polygon, OKC, Huobi Global, imToken, ChainIDE, etc.Official website: https://www.sharkteam.org/Twitter: https://twitter.com/sharkteamorgDiscord: https://discord.gg/jGH9xXCjDZTelegram: https://t.me/sharkteamorg

Comments

All Comments

Recommended for you

  • US Spot Ethereum ETF Sees Net Outflow of $4.93 Million

    On June 13, according to monitoring by Trader T, the US spot Ethereum ETF experienced a net outflow of $4.93 million yesterday.

  • US Spot Bitcoin ETF Sees Net Inflow of $85.82 Million Yesterday

    On June 13, according to monitoring by Trader T, the US spot Bitcoin ETF recorded a net inflow of $85.82 million yesterday.

  • U.S. Bans Foreign Access to Fable 5 and Mythos 5; Anthropic Issues Detailed Rebuttal

    On June 13, Anthropic issued a statement announcing that the U.S. government, citing national security powers, has released an export control directive requiring the suspension of all access to the AI models Fable 5 and Mythos 5 by foreign entities, regardless of whether the individuals are within the U.S., including Anthropic employees who are foreign nationals. The practical effect of this order is that we must immediately disable access to Fable 5 and Mythos 5 for all customers to ensure compliance. Access to all other Anthropic models will not be affected. We received the government's directive at 5:21 PM (Eastern Time) today. The letter did not specify the details of its national security concerns. Our understanding is that the government believes it has become aware of a method to bypass or 'jailbreak' Fable 5. So far, the government has only provided us with verbal evidence suggesting the existence of a potential narrow, non-general jailbreak, essentially by requiring the model to read specific code libraries and fix any software defects. We are complying with the government's legitimate directive and are in the process of removing all users' access to Fable 5 and Mythos 5. However, we disagree with the conclusion that 'a narrow potential jailbreak vulnerability should be the reason to recall commercial models deployed to hundreds of millions of users.' (Jinshi)

  • Iranian Foreign Minister: Iran-U.S. Memorandum of Understanding May Be Signed in Days

    On June 13, Iranian media reported that Iranian Foreign Minister Amir-Abdollahian stated that once the final stage of negotiations between Iran and the U.S. is completed, the memorandum of understanding will be signed and announced immediately. The first phase will be signed electronically from a distance, "which may happen in the coming days." (Xinhua News Agency)

  • U.S. Officials: U.S. and Iran Close to Agreement, Signing Expected in Coming Days

    On June 13, Reuters reported that a senior U.S. official stated on Friday local time that the U.S. and Iran have not yet truly reached the finish line, but are very close to finalizing an agreement to resolve their conflicts. Washington expects to sign the agreement in the coming days. 'The negotiating team has put us in a very favorable position, but we still need to see, we haven't really reached the finish line, but we are very close,' the U.S. official said. The official noted that the agreed terms achieve a core goal of Trump. The memorandum of understanding includes the reopening of the Strait of Hormuz and the lifting of U.S. blockades on Iranian ports. Iran's highly enriched uranium will also be destroyed on-site and subsequently removed from the country. 'Iran will not gain anything from signing the memorandum or from the negotiations themselves,' the official said. 'They will receive economic rewards for fulfilling the obligations set forth in the agreement. Therefore, if they commit to handing over nuclear materials, they will gain something. If they dismantle their nuclear program or facilities, they will receive additional benefits.'

  • Iran's Foreign Ministry: Iran is Reviewing Draft Memorandum of Understanding

    On June 13, local time on the 12th, Iranian Foreign Ministry spokesperson Baghaei stated that Iran and the United States have reached an understanding on most issues, and Iran is currently in the final stages of compiling the text of the memorandum of understanding. Therefore, the previous statement by Iranian Foreign Minister Amir-Abdollahian that 'the two sides are very close to reaching an understanding' is accurate and noteworthy. Meetings of relevant decision-making bodies are ongoing, and this is a process that is being continuously advanced. To achieve a final and decisive outcome, consensus must be formed among decision-making bodies and relevant departments. Baghaei also mentioned that various speculations regarding the content of the agreement text have not been confirmed. Although specific details of the diplomatic process cannot be publicly discussed at this time, this does not mean that the public does not have the right to be informed. (CCTV News)

  • SpaceX Opens at $150 on First Day of Trading, IPO Price Set at $135

    On June 12, SpaceX opened at $150 on its first day of trading, with an IPO price set at $135.

  • Iranian Foreign Minister Claims Iran and US 'Have Never Been Closer' to Memorandum of Understanding

    On June 12, Iranian Foreign Minister Amir-Abdollahian stated on social media that Iran and the US 'have never been closer' to reaching a memorandum of understanding. He urged the media to refrain from speculating on its contents before finalization. The Iranian side will disclose all details in due course. (CCTV News)

  • BTC Surpasses $64,000

    Market data shows that BTC has surpassed $64,000, currently priced at $64,107.99, with a 24-hour increase of 2.18%. The market is experiencing significant volatility, so please ensure proper risk management.

  • ARM Soars Nearly 10%, Bank of America Predicts Server CPU Market to Quadruple by 2030

    On June 12, ARM surged nearly 10%, reaching $376.18. According to a recent forecast by Vivek Arya, an analyst at Bank of America Global Research, the total addressable market (TAM) for server CPUs is expected to skyrocket from $35 billion in 2025 to over $170 billion by 2030. This significantly exceeds the bank's previous prediction of a $125 billion market size for server CPUs by 2030. Arya stated in the report, 'We believe the rise of agent-based AI is a powerful demand accelerator that not only expands the market opportunities for CPUs but also benefits Intel, AMD, and challengers based on Arm architecture.'

Daily Must-Read

Popular Activities

RaveDAO at Terra Solis by Tomorrowland: A Female-Led Techno Night Where Web3 Culture Converges

RaveDAO at Terra Solis by Tomorrowland: A Female-Led Techno Night Where Web3 Culture Converges

April 30 - April 30
Dubai

Popular Tags

Cointime
News
Contents
RSS
Company