Author: nick

In “transfer” function, if to address is 0x0, balance of sender is reduced 2 times, wrong logic. Hacker transferred some iVest tokens to uniswap pair, called skim(0x0), sync(). Because of wrong transfer, balance of pair was very small after repeating this step 3 times. Then, he could get almost all WBNB using a few iVest…

Root cause is bad exchange rate of VOW and vUSD token. Maybe this is due to mistake of team. Before hacking exchange rate was 5. Hacking happened in block 20519309, and exchange rate was set to 100 in block 20519307. https://t.co/HQX1ivaC8u After hacking, in block 20519316, they changed exchange rate to 5 again. https://t.co/um2qfNgJdq Hacker…

“transferFee” function has really basic vulnerability. who made this router?

Root cause is old oracle that hasn’t updated for a long time. In hacking, he transferred some tokens into cToken because of borrow rate.

Victim contract doesn’t check if msg.sender is valid in “uniswapV3Callback” function.

Root cause is in “burn()” function. “burn()” function decreases balance of uniswap pair. To bypass first line, he bought 1 wei of token hundreds of time, and then called “burn()” function. Hacker gained $900. 😁

Root cause is in price calcualtion. As you can see, price is calculated by amount of tokens in LP, but this can be maniupulated easily. Hacker could manipulate this price by transfering tokens into LP,after that he used “skim” to get tokens.

There’s no reenctrance check in code.

There was vulnerability in repay adapter contract. In swapAndRepay function, it approves tokens to Paraswap router. But if swap is not performed using approved token, allowance is not decreased. Using this hacker let victim contract approve tokens to paraswap router, and then moved those tokens to himself. If you want more detail, dm me or…