Victim contract is a token sale contract, there’re functions for buying and selling tokens. To buy tokens, users need to send WBNB to the pool, and some of that WBNB is used as fee(like reward to Liquid Providers).
This means “profitPerShare_” is increased when user buys tokens. Root cause of this hacking is in “buyFor” function. It’s a function for buying tokens on behalf of other user.
If “_customerAddress” is the same as address of victim contract, anyone can increase “profitPerShare_” without WBNB tokens.
Hacker bought some tokens before attack, and called “buyFor” function hundreds of times. “profitPerShare_” became much bigger than before, he could gain much more WBNB tokens by calling “withdraw” function.
He gained $230k.
Leave a Reply