TL;DR#
On April 8, 2024, the SQUID Game Coin was exploited on the BNB chain due to a smart contract vulnerability, which resulted in a loss of assets worth approximately $87,000.
Introduction to SQUID Game#
Squid Game (SQUID) is a meme token on the BNB chain.
Vulnerability Assessment#
The root cause of the exploit is a faulty logic design within their swap contract.
Steps#
Step 1:
We attempt to analyze the attack transaction executed by the exploiter.
Step 2:
In the exploited contracts, there are functions for swapping old tokens for new tokens and vice versa.
Step 3:
The attacker took a flash loan of 10,000 WBNB, swapped them for 163,138,366 SQUID tokens, and then proceeded to send these tokens to the affected SquidTokenSwap contracts.
Step 4:
Within the SquidTokenSwap contract, the sellSwappedTokens function swaps the old tokens to the new tokens using PancakeSwap, allowing for arbitrage opportunities.
function sellSwappedTokens(uint256 sellOption) external nonReentrant lock {
require(swapEnabled, "Swap is not enabled yet");
uint256 sellAmount;
// uint256 sellAmount = totalSwappedToSell > 500000 ether ? 500000 ether : totalSwappedToSell;
if (sellOption == 1) {
sellAmount = totalSwappedToSell > ALTERNATIVE_SELL_AMOUNT ? ALTERNATIVE_SELL_AMOUNT : totalSwappedToSell;
} else {
sellAmount = totalSwappedToSell > DEFAULT_SELL_AMOUNT ? DEFAULT_SELL_AMOUNT : totalSwappedToSell;
}
require(sellAmount > 0, "No tokens to sell");
uint256 squidV2BalanceBefore = newSquidToken.balanceOf(address(this));
// Set slippage to 5%
uint256 minOut = getMinOut(sellAmount);
// Approve the router to spend SQUID V1
oldSquidToken.approve(address(pancakeRouter), sellAmount);
address[] memory path = new address[](3);
path[0] = address(oldSquidToken);
path[1] = addressWBNB;
path[2] = address(newSquidToken);
pancakeRouter.swapExactTokensForTokensSupportingFeeOnTransferTokens(
sellAmount,
minOut, // Min amount out after slippage
path,
address(this),
block.timestamp
);
// Update totalSwappedToSell
totalSwappedToSell -= sellAmount;
// Calculate the amount of new SQUID V2 to burn
uint256 newSquidBalance = newSquidToken.balanceOf(address(this));
uint256 burnSquidV2Amount = newSquidBalance - squidV2BalanceBefore;
// Assuming SQUID V2 has a burn function or sending to a dead address
// newSquidToken.burn(newSquidBalance); // Implement if burn function exists
// newSquidToken.transfer(0x000000000000000000000000000000000000dEaD, burnSquidV2Amount); // Send to dead address to "burn"
if (burnSquidV2Amount > 0) {
// Burn the SQUID V2 tokens by transferring to a dead address
newSquidToken.transfer(0x000000000000000000000000000000000000dEaD, burnSquidV2Amount);
}
}
Step 5:
The hacker leveraged this opportunity to repeatedly invoke a call to this function until there were no further tokens to sell.
Step 6:
The borrowed flash loan was repaid, and the attacker was able to retain 145.84 BNB from these trades.
Aftermath#
The team acknowledged the occurrence of the exploit and stated that they would be working to understand its full scope and implement the most effective solutions. Reportedly, they identified the V2 PancakeSwap pair contract was used to exploit the swap process in a manner that was not intended according to their design. The associated contract address was subsequently blacklisted from interacting with their swap mechanism.
The wallet used by the attacker was funded through a Binance hot wallet, therefore they have further reached out to the Binance Security Team with hopes to gain assistance in identifying the attacker.
Solution#
To address and prevent the exploit that occurred with the SQUID Game Coin, it is essential to ensure that comprehensive security audits are conducted by reputable third-party security firms before deployment. These audits should focus on identifying vulnerabilities related to such logic errors. Additionally, periodic audits and code reviews should be scheduled post-deployment, especially after significant updates or changes to the smart contract.
Improving smart contract design is also crucial. Implementing strict limits on the number of tokens that can be swapped within a single transaction or block can reduce the potential impact of an exploit. Introducing a time delay for critical functions can help prevent immediate exploitation and provide a window for action in the event of suspicious activities.
Despite having strong security measures, there remains a possibility that vulnerabilities might be exploited. In these scenarios, the significance of Neptune Mutual is paramount. By setting up a dedicated cover pool with Neptune Mutual, the adverse effects of events akin to the SQUID Game Coin exploit can be substantially minimized. Neptune Mutual specializes in offering coverage for losses due to smart contract vulnerabilities and employs parametric policies designed specifically for these distinct risks.
Collaborating with Neptune Mutual simplifies the recovery process for users by reducing the requirement for extensive proof of loss documentation. Once an incident is confirmed and resolved through our detailed incident resolution protocol, our focus shifts to promptly delivering compensation and financial support to those impacted. This approach guarantees rapid assistance for users affected by such security breaches.
Our coverage extends across multiple key blockchain platforms, including Ethereum, Arbitrum, and the BNB chain, thereby providing broad support to various DeFi users. This wide-ranging coverage enhances our ability to safeguard against diverse vulnerabilities, increasing the overall safety of our varied client base.
Reference Source Cyvers
