Cointime

Cointime

Download App
iOS & Android

Cracking the Code: Delving into the Elaborate Scheme Behind BabyDogecoin's Flash Loan Attack"

Validated Project

In a recent incident, the popular Binance Smart Chain (BSC) token, @babydogecoin, fell victim to a flash loan attack, resulting in a loss of approximately $157,000. The attack exploited a vulnerability of misconfiguration of the BabyDoge contract to allow the FarmZAP contract excluded from the fee-charging mechanism, which allowed the attacker to manipulate the price of $BabyDoge on the PancakeSwap pair and dump BabyDoge tokens of the BabyDoge contract at a lower price.The attack transaction, available at https://bscscan.com/tx/0x098e7394a1733320e0887f0de22b18f5c71ee18d48a0f6d30c76890fb5c85375, provides insights into the steps taken by the attacker.

Here are the key details of the incident.

Token:

  • Token under attack: BabyDoge
  • Contract address: https://bscscan.com/address/0xc748673057861a797275CD8A068AbB95A902e8de#readContract

Attacker:

https://bscscan.com/address/0xcbc0d0c1049eb011d7c7cfc4ff556d281f0afebb

Attacking Contract:

https://bscscan.com/address/0x51873a0b615a51115f2cfbc2e24d9db4bfa2e6e2

Attacked Contract:

BabyDoge https://bscscan.com/address/0xc748673057861a797275CD8A068AbB95A902e8de

TreatSwap pair https://bscscan.com/address/0x0536c8b0c3685b6e3c62a7b5c4e8b83f938f12d1

Pairs Involved:

  1. TreatSwap pair: https://bscscan.com/address/0x0536c8b0c3685b6e3c62a7b5c4e8b83f938f12d1
  2. PancakeCakeSwap pair: https://bscscan.com/address/0xc736ca3d9b1e90af4230bd8f9626528b3d4e0ee0

Attacking Steps:

  1. The attacker acquired 80,000 BNB through a flash loan from Radiant: Lending Pool.
  2. Using the FarmZAP contract, the attacker called the buyTokensAndDepositOnBehalf function to exchange 80,000 BNB for a staggering 3,529,864,186,667,202 $BabyDoge from the TreatSwap pair.
  1. The attacker further swapped 3,525,976,210,595,834 $BabyDoge for 13,208 BNB on the PancakeSwap pair and decreased the price of $BabyDoge.
  2. By triggering the swapAndLiquify action on the PancakeSwap pair and dumping $BabyDoge of the BabyDoge contract at a lower price, the attacker initiated a series of transactions.
  3. Next, the attacker swapped 13,208 BNB for 3,607,312,208,477,806 $BabyDoge on the PancakeSwap pair.
  4. In a subsequent step, the attacker exchanged 3,607,312,208,477,806 $BabyDoge for 80,509 BNB on the TreatSwap pair.
  5. Finally, the attacker repaid 80,072 BNB to the Radiant: Lending Pool, securing a profit of 437 BNB.

5 hours later of the exploit, the project owner included the FarmZAP contract in the fee-charging mechanism.

Here is the transaction https://bscscan.com/tx/0x0c7fa7a334a31c60d9e7f7fd58063aef8cc78680f8e506c4bf4f4761aafe89f2.

Root Cause

The root cause of this attack serves as a crucial lesson for the entire DeFi community. It highlights the significance of implementing comprehensive security measures and conducting thorough audits of smart contracts. In this case, the exclusion of the FarmZAP contract from the fee-charging mechanism created an exploitable vulnerability that allowed the attacker to manipulate the price of $BabyDoge on the PancakeSwap pair.

To prevent similar incidents in the future, projects should prioritize the implementation of robust security practices. This includes conducting regular audits by reputable third-party firms to identify and address potential vulnerabilities. Moreover, projects should establish mechanisms for ongoing monitoring and surveillance of token pairs on decentralized exchanges to promptly detect any suspicious or manipulative activities.

Furthermore, decentralized exchanges play a vital role in maintaining the integrity of the DeFi ecosystem. They should enhance their monitoring capabilities and implement safeguards to identify and prevent price manipulation attempts. This may involve utilizing advanced algorithms and data analysis techniques to detect abnormal trading patterns or sudden price fluctuations that could indicate fraudulent activities.

Additionally, it is crucial for the community to foster a culture of information sharing and collaboration. By sharing knowledge and experiences related to security vulnerabilities and attacks, the community can collectively learn and strengthen the defenses against potential threats. Projects and participants should actively engage in open dialogue, knowledge sharing, and the adoption of best practices to ensure the overall security and resilience of the DeFi ecosystem.

Overall, the attack on BabyDoge highlights the ongoing need for constant vigilance, robust security measures, and collaboration within the DeFi community. By learning from such incidents, the industry can continue to evolve and develop innovative solutions that uphold the principles of transparency, security, and trust in the decentralized financial landscape.

Follow Us

Twitter: @MetaTrustLabs

Website: metatrust.io

BabyDoge PancakeSwap
Comments

All Comments

Recommended for you

  • Core Foundation launches $5 million innovation fund

    CoreDAO announced in a post on X platform that the Core Foundation has launched a $5 million innovation fund. The fund is currently mainly targeting the Indian market and has established strategic partnerships with the Indian Institute of Technology Bombay and some top venture capital companies to support the development of innovative blockchain projects in the country. At present, the fund has opened project funding applications.

  • Drift Foundation: The governance mechanism is gradually being improved, and DRIFT is one of the components

    The Drift Foundation stated on the X platform that the DRIFT token is a component of governance and a key element in empowering the community to shape the future. The governance mechanism is gradually improving, and more information will be announced soon.

  • U.S. Department of Justice: Two Chinese nationals arrested for allegedly defrauding at least $73 million through cryptocurrency investments

    According to the official website of the United States Department of Justice, a complaint from the central region of California was made public yesterday, accusing two Chinese nationals of playing a major role in a money laundering scheme involving cryptocurrency investment fraud.Daren Li, 41 years old, is a dual citizen of China and St. Kitts and Nevis, and is also a resident of China, Cambodia, and the United Arab Emirates. He was arrested on April 12th at Hartsfield-Jackson Atlanta International Airport and later transferred to the central region of California. Yicheng Zhang, 38 years old, is a Chinese national currently residing in Temple City, California. He was arrested yesterday in Los Angeles. Today, they are accused of leading a money laundering scheme related to an international cryptocurrency investment scam, involving at least $73 million. These arrests were made possible thanks to the assistance of our international and US partners, demonstrating the Department of Justice's commitment to continuing to combat the entire cybercrime ecosystem and prevent fraud in various financial markets.

  • Hong Kong expands digital yuan pilot to allow e-CNY wallets for cross-border payments

    The Hong Kong Monetary Authority and the People's Bank of China have expanded their cross-border digital yuan pilot to allow Hong Kong residents to use e-CNY wallets for cross-boundary payments. The digital yuan is China's central bank digital currency, which has been piloted for several years and is among the most advanced of its kind globally. Users can set up wallets using just a phone number and top them up in real-time through 17 Hong Kong retail banks. The HKMA plans to work with the Digital Currency Institute to explore enhancing interoperability in payments and corporate use cases, such as cross-border trade settlement.

  • WSJ: GPU cloud computing platform CoreWeave raises $7.5 billion to promote artificial intelligence computing

    CoreWeave, an artificial intelligence cloud computing startup supported by Nvidia, has raised $7.5 billion from investors including BNY Mellon, KKR, and BlackRock. This financing is one of the largest private debt financings ever. Just two weeks ago, CoreWeave completed a $1.1 billion equity financing round with a valuation of $19 billion. As of the end of last year, the company had 14 data centers and plans to double that number to 28 by the end of this year.

  • In the past 24 hours, the entire network has liquidated $139 million, and long orders have liquidated $83.5374 million

    According to Coinglass data, there were liquidations totaling $139 million in the past 24 hours, with a total of 56,471 people being liquidated.Of these, long positions were liquidated for $83.5374 million, short positions were liquidated for $55.4391 million, BTC was liquidated for $39.2379 million, ETH was liquidated for $26.5550 million, and SOL was liquidated for $10.2312 million.

  • Türkiye proposes to align crypto legislation with international standards

    Turkey's ruling party submitted a draft encryption bill to parliament on May 16. The bill focuses on licensing and registration of encryption service providers and aligning with international standards.The draft law aims to update existing legislation to comprehensively regulate the emerging cryptocurrency market. The key areas of focus for the bill include consumer protection, platform transparency, and compliance with financial regulations. The proposed legislation aims to regulate cryptocurrency trading platforms and other service providers in the industry, requiring them to obtain a license from the Capital Markets Board of Turkey.

  • Binance assisted Taiwan’s law enforcement agencies in cracking a major virtual asset case involving nearly NT$200 million

    On May 17th, Binance announced that the Financial Crime Compliance department (FCC) of Binance, in collaboration with the Taiwan Department of Justice Investigation Bureau, has successfully cracked a major criminal case involving money laundering of virtual assets, with an involved amount of nearly 200 million New Taiwan dollars. Throughout the entire case, Binance provided support to Taiwan's crime fighters, offering crucial intelligence and assistance, and played a key role in promoting the investigation.

  • $1.2 billion in notional value of BTC options and $930 million in ETH options are set to expire

    Greeks.live data shows that on May 17th, 18,000 BTC options with a put/call ratio of 0.63 and a maximum pain point of $63,000 (nominal value of $1.2 billion) will expire. Additionally, 320,000 ETH options with a put/call ratio of 0.28 and a maximum pain point of $3,000 (nominal value of $930 million) will also expire. Greeks.live states that this week, inspired by the meme stock craze in the US, BTC ETFs have seen significant inflows, causing BTC to surge above $65,000. However, the rest of the crypto market remains weak, with trading volume continuing to decline, and the divergence in the options data of BTC and ETH reflects this. Looking at the structure of bulk trades and market trades, the downward trend in IV for major deadlines has ended and entered a consolidation phase, with limited downside potential at present. BTC longs and shorts are relatively balanced, while the weak ETH price has led to a continuous decline in market confidence, with selling calls becoming the absolute main transaction.

  • Tether CEO: 1 billion USDT will be issued on Tron Network, but it has been authorized but not yet issued

    On May 17th, Tether CEO Paolo Ardoino announced that 1 billion USDT had been issued on the Tron Network early this morning Beijing time, but not yet released. This means that the amount will be used as inventory for the next issuance request and chain exchange.

Daily Must-Read

Popular Activities

Delysium $AGI & AI Private Yacht Party

Delysium $AGI & AI Private Yacht Party

March 27 - March 27
Seoul

Popular Tags

Cointime
News
Contents
RSS
Company