Mosca on BSC was hacked because of wrong balance calculation.
As you can see in picture, withdraw balance is calculated by user.balance + user.balanceUSDT + user.balanceUSDC.
But after “withdrawAll()”, only user.balance is set 0, USDT and USDC balance not changed, this means anyone can withdraw tokens several times if USDT or USDC balance is not 0 and rewardQueue is not empty.
To increase USDC balance, hacker called “buy” function, and called “join” function before “exitProgram” to push into rewardQueue.
He repeated this step multiple times, gained $19k. There were several hacking attack on this contract.
Leave a Reply