On the afternoon of 14:35 Vietnam time on February 27, 2023, LZ Token recorded an unexpected dump event as follows:
After receiving the information, Verichains conducted a cause analysis and determined that the reason for the hack came from exploiting a security error on a contract, temporarily called Contract X at address 0x6d8981847eb3cc2234179d0f0e72f6b6b2421a01 , which has not been verified. It is worth noting that the wallet “LZ Deployer” has “approve” a very large amount of LZ and BUSD to this contract more than 1 year ago. Verichains then submitted the breakdown analysis information to the LaunchZone project so that it could proceed with remediation, remediation, and damage reduction.
Attack flow analysis
LZ Token was mined by the address labeled as
DND Exploiterat 14:32 Vietnam time on February 27, 2023. Tx caused the price of LZ Token to be dumped:https://bscscan.com/tx/0xaee8ef10ac816834cd7026ec34f35bdde568191fe2fa67724fcf2739e48c3caeThe hacker deployed an “attack contract”, the LZ Token attack execution flow takes place in this contract as follows:
Call the function to find the pair and perform swap LZ to BUSD on Biswap (temporarily called swap function). This function belongs to Contract X mentioned above and more than 1 year ago, wallet “LZ Deployer” approved 1 billion LZ, 39 million BUSD for this contract.
LZ Deployer approves contract for 1 billion LZ:https://bscscan.com/tx/0x3ab13a622105fdcf0293ed1a0a7918375e1a05123160efdc5e23ec121ac6d944
LZ Deployer approves contract over 39 million BUSD:https://bscscan.com/tx/0x444edcefe7de6504ae70deb292c80211dbff0ddb13bf6689cb05d5a068307ca0
hacker calls the swap function of a 3rd party contract to swap 9.8tr LZ, get nearly 7 BUSD back to LZ Deployer through BSW-LP Pair (Biswap).
After that, the hacker loaded the attack contract with 50 BUSD and immediately swapped 50 BUSD for more than 9.8 million LZ through Biswap.
In the end attacker swapped more than 9.8tr LZ obtained nearly 88k BUSD through PancakeSwap. At this time, the price of LZ Token is reduced by 46 times.
When he collected nearly 88k BUSD, the hacker claimed this token to his private wallet and performed a self-destruct attack contract.
Some related addresses:
+ LZ Deployer : 0xdad254728A37D1E80C21AFae688C64d0383cc307
Attacker : 0x7d192FA3a48C307100C3E663050291Fff786aA1F
Attack Contract : 0x1C2B102f22c08694EEe5B1f45E7973b6EACA3e92
+ Contract X : 0x6D8981847Eb3cc2234179d0F0e72F6b6b2421a01
+ BSW-LP : 0xDb821BB482cfDae5D3B1A48EeaD8d2F74678D593
Vulnerability and root cause analysis
Above is the behavior of the Hacker who performed mining to dump the price of LZ Token and profited from nearly 88k BUSD. The following is a detailed analysis of the vulnerability and the cause of the attack.
We determined that Contract X mentioned above is the implementation of the contract of SwapX Proxy (not verified and audited), the Proxy will allow users to transmit data and call implement the contract: https://bscscan.com/address/0x0ccee62efec983f3ec4bad3247153009fb483551
SwapX is an AMM developed in the BSCex ecosystem, and the LZ token is integrated within this ecosystem.
When reviewing the bytecode of the contract, some security errors can be seen as follows:
Call implements with call instead of delegatecall
The functions in the implementation allow crackdown external calls per proxy
In particular, the fatal error came from the fact that the function responsible for swap function in the implementation performed transferfrom() from any address instead of the normal transferfrom logic from msg.sender of other swaps. Therefore, the hacker can swap "for" others through the control transmitted by the data call.
Combining the "LZ Deployer" wallet, using SwapX before, approved for this contract a large amount of tokens to be swapped, BUSD and LZ tokens , the hacker swapped a very large amount of LZ tokens in exchange for BUSD, making LZ's price dropped extremely low through Biswap pair. Hacker then used 50 BSUD to buy back 9.8 million LZ tokens, eventually exchanging those 9.8 million tokens for nearly 88k BUSD on PancakeSwap's exchange.
Verichains has submitted crash analysis details to the LaunchZone project so it can proceed with remediation, remediation, and damage reduction.
Advice
If you have ever used SwapX on BSCex, please double check your wallet, especially revoke previous approval transactions through online tools like https://defi.krystal.app/token-approval- checker or https://revoke.cash
Addresses that hold a lot of coins in the ecosystem need to be careful when using them.
Only approve a sufficient amount to perform the transaction, do not approve a large amount.
Before launching or being trusted to use, each product needs to go through a security audit by reputable security companies.
==========
About Verichains
Since 2017, Verichains has been a pioneer and leading blockchain security firm in APAC, with extensive expertise in security, cryptography and core blockchain technology. More than 200 clients trust us with $50 billion in assets under protection, including several high-profile clients such as BNB Chain, Klaytn, Wemix, Multichain, Line Corp, Axie Infinity, Ronin Network, and Kyber Network.
Our world-class security and cryptography research team has found several vulnerabilities in layer-1 protocol, crypto library, bridge, and smart contracts. We are also proud to be the firm that helped to investigate, root cause analysis, and fix security issues in the two largest global crypto hacks: BNB Chain Bridge and Ronin Bridge (Sky Mavis).
With the in-depth research and development of blockchain technology, Verichains provides blockchain security services such as blockchain protocol and smart contract security audit, mobile application protection, key management solution, on-chain risk monitoring, and red team/penetration testing services.
Homepage:
https://www.verichains.io
Email: info@verichains.io
Twitter: https://twitter.com/Verichains
Linkedin: https://www.linkedin.com/company/verichains
Facebook: https://facebook.com/verichains
Telegram: https://t.me/+Y29xcaxJLJxjNDVl
