Cointime

Cointime

Download App
iOS & Android

SharkTeam: Analysis of the HashFlow Attack Incident

On June 14, 2023, Beijing time, HashFlow fell victim to a hacker attack, resulting in an estimated profit of around $600,000 for the attackers.

SharkTeam conducted a prompt technical analysis of the incident and has summarized security measures to be taken as a precautionary approach. It is our hope that this incident serves as a lesson for future projects, contributing to the strengthening of security defenses within the blockchain industry.

1. Incident analysis

Attacker address: 0xBDf38B7475Ff810325AA39e988fb80E0aA007E84

Attack contract: 0xDDb19a1Bd22C53dac894EE4E2FBfdB0A06769216

Attacked contract: 0x79cdFd7Bc46D577b95ed92bcdc8abAba1844Af0c

Attack transactions:

0xdedda493272b6b35660b9cc9070d2ea32ee61279b821184ff837e0a5752f4042

0xb08f6d3fc70b95223cfffc2c905d9c0467a589e5f652cd193e5c00b4ad329b99

0x08b5f35076beb363a7206b8f9b4a6460f42aa9f998b561582fb4e4cdd6f05dce

1. After deploying the attack contract (0xDDb19a1B), the attacker (0xBDf38B74) proceeded to call the Wooooo function within the attack contract (0xDDb19a1B).

2. The attack contract (0xDDb19a1B) called the function 0x0031b016 of the target contract (0x79cdFd7B) during the attack.

3. The function directly transferred the user's USDT tokens to the attack contract.

2. Vulnerability Analysis

The target contract (0x79cdFd7B) that was attacked is a deprecated HashFlow contract, which was abandoned in May of the previous year and was not open-source. Through reverse engineering, it can be observed that the contract transfers tokens from the "from" address to the "to" address. Based on analysis, it is highly likely that users had granted significant authorization to this contract before May of the previous year. However, after the contract was deprecated, these authorizations were not revoked, and due to potential issues with the restriction logic after deprecation, attackers were able to call functions in the deprecated contract to transfer user assets.

3. Subsequent Developments

After carrying out the attack, the attacker (0xBDf38B74) open-sourced the attack contract and left a message stating, "Before use recover, please revoke first. Your funds are not safe." This message serves as a reminder to users to revoke their authorizations to the targeted contract (0x79cdFd7B) before transferring their funds elsewhere.

The hacker left behind two functions. One function allows users to withdraw all their funds, while the other function leaves 10% of the assets as a reward for the attacker. Currently, users have started withdrawing their funds one by one.

4. Security Recommendations

The occurrence of this incident was due to the fact that the targeted contract (0x79cdFd7B) had received significant user authorizations in the past, and these authorizations were not revoked after its deprecation, resulting in user asset losses. To prevent similar attacks in the future, it is important to follow these precautions during the development process:

(1) Project developers should thoroughly validate and address any potential logic issues that may arise after deprecating a contract.

(2) Users should regularly review their account authorizations for different protocol contracts and promptly revoke authorizations for contracts they no longer interact with or have been upgraded.

(3) Before deploying contract upgrades, it is crucial to collaborate with professional third-party auditing teams to ensure security.

About us

SharkTeam’s vision is to comprehensively protect the security of the Web3 world. The team is composed of experienced security professionals and senior researchers from all over the world. They are proficient in the underlying theory of blockchain and smart contracts, and provide services including smart contract auditing, on-chain analysis, and emergency response. It has established long-term cooperative relationships with key players in various fields of the blockchain ecosystem, such as Polkadot, Moonbeam, polygon, OKC, Huobi Global, imToken, ChainIDE, etc.
Official website: https://www.sharkteam.org/
Twitter: https://twitter.com/sharkteamorg
Discord: https://discord.gg/jGH9xXCjDZ
Telegram: https://t.me/sharkteamorg

Web3 SharkTeam
Comments

All Comments

Recommended for you

  • RWA platform Re completes new round of financing of US$7 million, led by Electric Capital

    Re, a tokenized reinsurance RWA platform, has completed a new round of funding of $7 million, led by Electric Capital. It is reported that the project had completed a seed round of funding of $14 million at the end of 2022. Re's goal is to support $200 million in premiums by the end of this year.

  • Crypto prediction market Polymarket has raised $70 million in two rounds of funding

    Peter Thiel's venture capital firm, Founders Fund, is investing in the cryptocurrency prediction market Polymarket. A spokesperson for Polymarket stated that the company has raised $70 million in two rounds of financing, with the latest round led by Founders Fund. The company's supporters also include Ethereum co-founder Vitalik Buterin, and it has been attracting users to predict the outcomes of various events, with bets on the 2024 US presidential election becoming the most popular contract on its platform.

  • ChainML raises $6.2m in seed extension funding for community-governed AI platform, Theoriq

    ChainML, a Silicon Valley-based AI and ML development and research lab, has raised $6.2m in seed extension funding for its AI platform called Theoriq. The funding round was led by Hack VC and included participation from several other venture capital firms. The company plans to use the funds to expand its development efforts and continue building community-governed AI systems based on principles of social evolution and blockchain technology. CEO Ron Bodkin expressed excitement about the potential for unlocking new potentials for AI integration within the decentralized space.

  • Zeta Markets Raises $5 Million in Token Funding Round

    Solana DEX Zeta Markets raised $5 million in a new round of funding led by Electric Capital. Other investors in this round of funding include Digital Asset Capital management company, Selini Capital, and Airtree Ventures. Angel investors include Solana's Anatoly Yakovenko, Helius' Mert Mumtaz, Tensor's Richard Wu, Pyth's Genia Mikhalchenko, Wintermute's JMR Luna, and Bonk's Nom also participated in this round of funding.

  • Tornado Cash Developer Alexey Pertsev Sentenced to 64 Months in Prison

    On Tuesday, a Dutch judge ruled that Tornado Cash developer Alexey Pertsev was guilty of money laundering. The court sentenced Pertsev to 64 months in prison. In August 2022, Tornado Cash was blacklisted by the US government, and this is the first time the developer has been sentenced to prison in the Netherlands. At the time, the US Treasury Department claimed that Tornado Cash was a key tool for the North Korean hacker group Lazarus. The Lazarus group is linked to the $625 million hack of Axie Infinity's Ronin Network and other major cryptocurrency thefts.

  • Dutch court finds Tornado Cash founder Alexey Pertsev guilty of money laundering

    A Dutch court composed of three judges has ruled that Tornado Cash developer Alexey Pertsev committed the crime of laundering $1.2 billion in illegal assets on a cryptocurrency mixing platform. It is expected that the panel will also sentence 31-year-old Russian resident Alexey Pertsev on Tuesday, and Pertsev's lawyer will have 14 days to appeal the judge's ruling. Experts say that this ruling will reshape the privacy protection process in the decentralized finance field and have a "chilling effect" on the development of open-source software that provides financial privacy protection tools for users.

  • Cross-border money laundering group laundered HK$88 million, 8 people arrested

    The Hong Kong Police Commercial Crime Bureau locked onto a cross-border money laundering group in November 2023. The investigation found that the group recruited mainlanders to open puppet bank accounts in Hong Kong from September 2023 to March 2024. They used various types of fraud, such as telephone scams, nude chat scams, investment scams, and job scams to defraud victims. The victims were instructed by the fraudsters to deposit the stolen money into the puppet accounts controlled by the criminal group. The group would then withdraw the stolen money from the puppet accounts in cash and buy cryptocurrencies on the over-the-counter (OTC) market. They would also open accounts on overseas cryptocurrency platforms with false identities and deposit the cryptocurrencies purchased with the stolen money before transferring them to multiple cryptocurrency wallets to launder the criminal proceeds. The police also pointed out that the group used 72 local puppet bank accounts to launder more than HKD 88 million in criminal proceeds, of which HKD 6.7 million was related to 48 fraud cases. As of yesterday, the police arrested 7 men and 1 woman aged between 26 and 51 for conspiring to launder black money. They claimed to be a lifeguard, photographer, telephone programmer, salesperson, and unemployed. Six of them were core members, and two were puppet account holders.

  • Sharp Alpha Advisors Raises $25M for Second Fund Targeting Early Stage Software Companies in Sports, Gaming, and Entertainment Industries

    New York-based venture capital firm Sharp Alpha Advisors has secured $25 million for its second fund, which will primarily invest in early stage software companies in the sports, gaming, and entertainment sectors. The fund aims to invest between $1 million and $2 million in 15 startups that fall under the category of "competitive entertainment," such as technology firms catering to sports betting, fantasy sports, streaming platforms, and video games. Sharp Alpha has already invested in London-based technology startup C15 Studio, which operates and distributes streaming channels for Formula 1 and One Championship, and plans to make further investments over the next three to five years. Additionally, the firm has a sidecar vehicle for limited partners to invest more money in individual companies within the fund.

  • cointelegraph ·

    OKX Ventures invests in Web3 ‘play ARPG to train AI’ game Blade of God X

    The game is currently available in early access on the Epic Games Store.

    OKX Ventures invests in Web3 ‘play ARPG to train AI’ game Blade of God X

  • Barcelona-based Web3 Video Games Startup GFAL Raises $3.2M in Seed Funding to Expand Team and Accelerate Production Plans

    Barcelona-based startup GFAL has secured $3.2 million in seed funding from investors including Supercell Ltd and Mitch Lasky. The company plans to use the funds to expand its team and accelerate its game production plans, which leverage AI and Web3 technology for immersive gameplay. GFAL's Elemental Raiders mobile game soft-launched in March 2023, with plans to build on this for a 2024 launch. CEO Manel Sort expressed gratitude for the investment and excitement to work with former colleagues from Digital Chocolate.

Daily Must-Read

Popular Activities

Delysium $AGI & AI Private Yacht Party

Delysium $AGI & AI Private Yacht Party

March 27 - March 27
Seoul

Popular Tags

Cointime
News
Contents
RSS
Company