Before a project goes live, a third-party professional auditing firm needs to conduct a smart contract audit.
Author: SharkTeam
Cover: Photo by Markus Spiske on Unsplash
On April 19, 2024, Hedgey Finance suffered multiple attack transactions, resulting in losses of over $2 million.
SharkTeam immediately conducted a technical analysis of the incident and summarized security precautions, hoping that subsequent projects can learn from this experience and jointly build a security defense line for the blockchain industry.
I. Attack on Transactions
Hedgey Finance was attacked multiple times by various attackers who exploited a token approval vulnerability to steal a large number of tokens from the ClaimCampaigns contract.
For example, the largest transaction involved approximately $1.3 million:
Attack transaction: 0x2606d459a50ca4920722a111745c2eeced1d8a01ff25ee762e22d5d4b1595739
Attacker: 0xded2b1a426e1b7d415a40bcad44e98f47181dda2
Attack contract: 0xc793113f1548b97e37c409f39244ee44241bf2b3
Target contract: 0xbc452fdc8f851d7c5b72e1fe74dfb63bb793d511 (ClaimCampaigns)
The transaction directly transferred 1,303,910.12 USDC from the ClaimCampaigns contract. Transaction details are as follows:
The actual transaction that launched the attack was
0xa17fdb804728f226fcd10e78eae5247abd984e0f03301312315b89cae25aa517 (abbreviated as 0xa17f)
The attack process is as follows:
1. Flash loan of 1.305M USDC from Balancer.
2. Call the `createLockedCampaign` function in the `ClaimCampaigns` contract. In this function, the attacking contract deposits 1.305M USDC into the `ClaimCampaigns` contract, and then the `ClaimCampaigns` contract approves the transferred 1.305M USDC for the attacking contract's use.
3. The `cancelCampaign` function in the `ClaimCampaigns` contract is called. In this function, the attacking contract withdraws the deposited 1.305M USDC, but the USDC approved for the attacking contract in the `createLockedCampaign` function is not cancelled.
4. Attack the contract to repay Balancer's flash loan.
In this transaction, after the attacking contract withdraws 1.305M USDC from the ClaimCampaigns contract, the 1.305M USDC approved by the ClaimCampaigns contract for the attacking contract is not cancelled. Therefore, the attacking contract can directly call the USDC transferFrom function to transfer another 1.305M USDC from the ClaimCampaigns contract. This is the functionality achieved by transaction 0xa17fdb804728f226fcd10e78eae5247abd984e0f03301312315b89cae25aa517.
Through these two transactions, the attacker stole 1.305M USDC from the ClaimCampaigns contract.
In addition to USDC, the attacker also stole a large number of NOBL tokens from the ClaimCampaigns contract using this vulnerability, bringing the total value, including USDC, to over $2 million.
II. Vulnerability Analysis
The root cause of this incident is a token approval vulnerability in the implementation logic of the project's smart contract, which allows attackers to repeatedly transfer tokens approved by the target contract to msg.sender.
The createLockedCampaign function of the smart contract ClaimCampaigns will store msg.sender's tokens into the target contract and approve these tokens for msg.sender.
The cancelCampaign function will retrieve the deposited tokens, but it will not cancel the token approval.
Attackers exploit this vulnerability to directly call the Token's transferFrom function to transfer the approved tokens back from the target contract.
III. Safety Recommendations
In response to this attack, we should follow these precautions during development:
(1) During the design and development of the project, the integrity and rigor of the logic must be maintained. In particular, when transferring assets, the number of tokens approved at the same time should be ensured to avoid the situation where the tokens are transferred but the approval is not cancelled.
(2) Before the project goes live, a third-party professional auditing company needs to conduct a smart contract audit.
Disclaimer: As a blockchain information platform, the articles published on this site represent only the personal views of the authors and guests and do not reflect the position of Web3Caff. The information contained in the articles is for reference only and does not constitute any investment advice or offer. Please comply with the relevant laws and regulations of your country or region.
