The flash loan incident on BSC targeting the MSCST smart contract caused an estimated loss of approximately $130,000 due to a lack of access control in the releaseReward() function.
According to on-chain monitoring, the missing ACL vulnerability paved the way for the attacker to manipulate the price of the GPC Token in the PancakeSwap liquidation pool, resulting in losses.
- MSCST on BSC suffered a flash loan attack, resulting in losses of approximately $130,000.
- Cause: Missing access control in releaseReward().
- GPC's price was manipulated in the PancakeSwap pool 0x12da.
The sequence of events of the attack and the extent of the damage.
BlockSec Phalcon reports that an unidentified smart contract, MSCST, on BSC, was subjected to a flash loan attack, resulting in estimated losses of approximately $130,000.
The incident was reported on December 29th. According to the monitoring alert, the attacker exploited a fast borrowing mechanism to execute transactions within a block, facilitating manipulation related to liquidation and Token price.
The affected assets, linked to the GPC Token and the liquidation pool on PancakeSwap, are identified as 0x12da, where the price was manipulated to facilitate profit-taking tactics during the attack.
Technical vulnerability: missing Access Control in releaseReward()
The vulnerability stems from the lack of an access control (ACL) function in MSCST's releaseReward(), allowing an attacker to call the function illegally.
When a sensitive function has unrestricted call privileges, an attacker can interfere with the reward flow and related parameters, thereby optimizing their gain in successive flash loan transactions.
In this case, the missing ACL vulnerability allegedly facilitated the manipulation of GPC prices in the PancakeSwap (0x12da) pool, resulting in estimated losses of approximately $130,000.
