Cointime

Cointime

Download App
iOS & Android

SharkTeam: Analysis of the HashFlow Attack Incident

On June 14, 2023, Beijing time, HashFlow fell victim to a hacker attack, resulting in an estimated profit of around $600,000 for the attackers.

SharkTeam conducted a prompt technical analysis of the incident and has summarized security measures to be taken as a precautionary approach. It is our hope that this incident serves as a lesson for future projects, contributing to the strengthening of security defenses within the blockchain industry.

1. Incident analysis

Attacker address: 0xBDf38B7475Ff810325AA39e988fb80E0aA007E84

Attack contract: 0xDDb19a1Bd22C53dac894EE4E2FBfdB0A06769216

Attacked contract: 0x79cdFd7Bc46D577b95ed92bcdc8abAba1844Af0c

Attack transactions:

0xdedda493272b6b35660b9cc9070d2ea32ee61279b821184ff837e0a5752f4042

0xb08f6d3fc70b95223cfffc2c905d9c0467a589e5f652cd193e5c00b4ad329b99

0x08b5f35076beb363a7206b8f9b4a6460f42aa9f998b561582fb4e4cdd6f05dce

1. After deploying the attack contract (0xDDb19a1B), the attacker (0xBDf38B74) proceeded to call the Wooooo function within the attack contract (0xDDb19a1B).

2. The attack contract (0xDDb19a1B) called the function 0x0031b016 of the target contract (0x79cdFd7B) during the attack.

3. The function directly transferred the user's USDT tokens to the attack contract.

2. Vulnerability Analysis

The target contract (0x79cdFd7B) that was attacked is a deprecated HashFlow contract, which was abandoned in May of the previous year and was not open-source. Through reverse engineering, it can be observed that the contract transfers tokens from the "from" address to the "to" address. Based on analysis, it is highly likely that users had granted significant authorization to this contract before May of the previous year. However, after the contract was deprecated, these authorizations were not revoked, and due to potential issues with the restriction logic after deprecation, attackers were able to call functions in the deprecated contract to transfer user assets.

3. Subsequent Developments

After carrying out the attack, the attacker (0xBDf38B74) open-sourced the attack contract and left a message stating, "Before use recover, please revoke first. Your funds are not safe." This message serves as a reminder to users to revoke their authorizations to the targeted contract (0x79cdFd7B) before transferring their funds elsewhere.

The hacker left behind two functions. One function allows users to withdraw all their funds, while the other function leaves 10% of the assets as a reward for the attacker. Currently, users have started withdrawing their funds one by one.

4. Security Recommendations

The occurrence of this incident was due to the fact that the targeted contract (0x79cdFd7B) had received significant user authorizations in the past, and these authorizations were not revoked after its deprecation, resulting in user asset losses. To prevent similar attacks in the future, it is important to follow these precautions during the development process:

(1) Project developers should thoroughly validate and address any potential logic issues that may arise after deprecating a contract.

(2) Users should regularly review their account authorizations for different protocol contracts and promptly revoke authorizations for contracts they no longer interact with or have been upgraded.

(3) Before deploying contract upgrades, it is crucial to collaborate with professional third-party auditing teams to ensure security.

About us

SharkTeam’s vision is to comprehensively protect the security of the Web3 world. The team is composed of experienced security professionals and senior researchers from all over the world. They are proficient in the underlying theory of blockchain and smart contracts, and provide services including smart contract auditing, on-chain analysis, and emergency response. It has established long-term cooperative relationships with key players in various fields of the blockchain ecosystem, such as Polkadot, Moonbeam, polygon, OKC, Huobi Global, imToken, ChainIDE, etc.
Official website: https://www.sharkteam.org/
Twitter: https://twitter.com/sharkteamorg
Discord: https://discord.gg/jGH9xXCjDZ
Telegram: https://t.me/sharkteamorg

Web3 SharkTeam
Comments

All Comments

Recommended for you

  • 38,244.04 DMD Permanently Burned in the Past 7 Days

    On June 25, 2026, the latest on-chain data from DMDAO revealed that a total of 38,244.04 DMD has been permanently burned through the established transaction and wealth management burn mechanisms over the past 7 calendar days.

  • BTC Falls Below $60,000

    Market data shows that BTC has fallen below $60,000, currently priced at $59,954.84, with a 24-hour decline of 4.19%. The market is experiencing significant volatility, so please ensure proper risk management.

  • ETH Drops Below $1600

    Market data shows that ETH has fallen below $1600, currently priced at $1597.55, with a 24-hour decline of 3.81%. The market is experiencing significant volatility, so please ensure proper risk management.

  • Billionaire Philippe Laffont Prefers Investing in Space Over Bitcoin

    Philippe Laffont, founder and portfolio manager of Coatue Management, stated on the Squawk Box program that he is currently unable to determine his stance on Bitcoin. He mentioned that he is rethinking Bitcoin's positioning and expressed a preference for investing in space over Bitcoin. (thestreet)

  • Tech Giants' Data Center Leasing Commitments Exceed $850 Billion

    On June 24, an analysis by Bloomberg of regulatory filings revealed that as tech giants compete to expand their server clusters, the total amount of future data center leasing commitments by large cloud computing companies has continued to rise over the past year, surpassing $850 billion. Last quarter, Meta added leasing commitments of $79 billion, a 76% increase from the previous period; as of March 31, the total reached $182.9 billion. Meta CEO Mark Zuckerberg has stated that the company plans to invest hundreds of billions of dollars in AI infrastructure by 2030. Microsoft followed closely, adding over $41 billion in leasing commitments, bringing its total to $196.6 billion.

  • Address with $34.61 Million Long Position in 21,000 ETH Faces $1.696 Million Loss at 18x Leverage

    According to on-chain analyst Ai Yi, a certain address took a long position of 21,000 ETH with 18x leverage yesterday, amounting to approximately $34.61 million. Currently, it is facing an unrealized loss of $1.696 million, with an opening price of $1,728.5 and a liquidation price of $1,590.1.

  • U.S. 10-Year Treasury Yield Falls to 4.4138%, Lowest Since May 11

    On June 24, the yield on U.S. 10-year Treasury bonds fell to 4.4138%, the lowest level since May 11. The yield on U.S. 30-year Treasury bonds dropped to 4.8572%, the lowest since April 15.

  • Crypto Market Liquidations Reach $134 Million in the Last Hour, with $125 Million in Long Liquidations

    According to CoinGlass data, the total liquidation amount across the network in the last hour reached $134 million, with long liquidations accounting for $125 million and short liquidations amounting to $8.539 million.

  • BTC Falls Below $61,000

    Market data shows that BTC has fallen below $61,000, currently priced at $60,986.03, with a 24-hour decline of 2.88%. The market is experiencing significant volatility, so please ensure proper risk management.

  • Web3 data and AI company Validation Cloud completes $10 million in new round of financing

     Web3 data and AI company Validation Cloud announced a $10 million financing round from True Global Ventures. The company plans to use the funds to expand its AI products and achieve seamless access to Web3 data.

Daily Must-Read

Popular Activities

RaveDAO at Terra Solis by Tomorrowland: A Female-Led Techno Night Where Web3 Culture Converges

RaveDAO at Terra Solis by Tomorrowland: A Female-Led Techno Night Where Web3 Culture Converges

April 30 - April 30
Dubai

Popular Tags

Cointime
News
Contents
RSS
Company