TL;DR#
On November 15, 2022, the Sheep Farm project was attacked by a hacker resulting in the loss of approximately 262 $BNB tokens worth $72,000.
Introduction to Sheep Farm#
Sheep Farm is an investment blockchain game on the BNB chain.
Vulnerability Assessment#
The root cause of the attack is a vulnerability in one of the SheepFarm contract's functions, which could be called multiple times to increase the gems yield.
Steps#
Step 1:
We investigated one of the attack transactions carried out by the hacker.
Step 2:
The vulnerability existed in the register function of the SheepFarm contract.
Step 3:
This function validates a user's timestamp to verify if they are a new user.
Step 4:
It doesn't however update the timestamp after the user registration is completed.
Step 5:
The perspective attacker invoked this function multiple times to increase his own gems values.
Step 6:
They used the upgradeVillage function to accumulate yield while consuming gems properties.
Step 7:
The sellVillage function of the contract was called to convert the yield to money.
Step 8:
Finally, they converted the funds into $BNB tokens and withdrew them using the withdrawMoney function.
Aftermath#
Following the incident, the team put their platform into maintenance mode.
How to Prevent Such an Attack Vector#
The vulnerability assessment revealed that the attack's root cause lay in a weakness present within one of the functions of the SheepFarm contract. This vulnerability allowed the attacker to exploit the system by calling this function multiple times, thereby artificially increasing the yield of gems.
To prevent such an exploit, thorough validation techniques are imperative to identify and rectify all potential attack vectors. It is incumbent upon project teams to engage in comprehensive audit procedures, enlisting multiple blockchain security firms to ensure robust protection against occurrences of this nature.
In scenarios like this, Neptune Mutual also emerges as a pivotal player. Had the team associated with SheepFarm established a dedicated cover within Neptune Mutual, the impact or aftermath of the attack could have been significantly reduced. Users who purchase our parametric cover policies do not need to provide evidence of their loss to receive payouts. Once an incident is confirmed and resolved through our incident resolution system, payouts can be claimed immediately.
Our security team specializes in validating platforms across various dimensions, encompassing DNS and web-based security, smart contract reviews, and meticulous assessments of both frontend and backend security. We offer a comprehensive solution that involves scanning your platform rigorously and strengthening its defenses against known and unforeseen vulnerabilities with the potential for far-reaching and detrimental consequences. If you are truly committed to security and possess the financial means, desire, and sense of responsibility, we urge you to initiate contact via social media to fortify your protocol.
Reference source BlockSec
