Victim contract has exchange functionality, but it gets exchange rate using pancakeswap v2 pair.

This can be easily manipulated by exchanging huge amount of tokens on pancake swap. Hacker exchanged almost all DCF token in victim contract to BUSD. Then, exchanged huge amount of BUSD to DCF on pancakeswap, exchange rate manipulated.

After that, he exchanged gained almost all BUSD in victim contract using a few DCF tokens. Total loss is about $9k.
Leave a Reply