Compound fork lending project – Moonwell was hacked because of improper input check.
There’re several Moonhacker contracts that can be used for smart supply and borrow. In “executeOperation” function, input data is not checked, hacker was able to input his own contract as mToken contract as there’s no check.
If he provide his contract as mToken, Moonhacker contract approves his tokens to that contract.
Then, he could move all tokens to his contract. Total loss is about $320k.
Leave a Reply