TL;DR#
On March 21, 2023, the ASKACR Token on BNB Chain was exploited, resulting in a total loss of 85 BNB, worth approximately $28,400.
Introduction to ASKACR Token#
$ASKACR is a token on BNB Chain.
Vulnerability Assessment#
The attack was possible because of a flaw in the way rewards are distributed by the transfer function, which operates without checking the transfer amount.
Steps#
Step 1:
We attempted to analyze the attack transaction executed by the exploiter.
Step 2:
The _transfer function has a logic, which invokes another call to the _beforeTokenTransfer function of the contract.
Step 3:
This function further invokes a call to yet another _lpShare function of the contract.
Step 4:
In the transfer logic, the function checks for the sender address in the 'from' parameter, the receiver address in the 'to' parameter, and the corresponding amount to be transferred in the 'amount' parameter.
However, in the lpShare function, the token provides rewards to the LP holders of the BSCUSD-ASKACR pair without checking the transfer amount.
Step 5:
Thus, the exploiter created multiple attack contracts and frequently transferred the liquidity to ensure that the 'to' address holds LP tokens.
Step 6:
The attacker used the same LP tokens and transferred 0 $AASKACR tokens to mint and distribute the $ASKACR tokens to the 'to' address in order to take away their share of profits.
Aftermath#
Following the attack, the price of the $ASKACR token dropped by more than 99%.
Solution#
It is critical to understand that no security measure is perfect, but implementing a few strategies can greatly reduce the risk of all such attacks on DeFi protocols.
One of the most effective ways to mitigate the possible exploit arising from logic-based errors is to thoroughly test the smart contract using every aspect of testing, such as unit testing, integration testing, functional testing, etc. This helps identify any potential issues before the contract is deployed.
Additionally, many formal verification tools can also be used to ensure that the smart contract behaves as it is intended to.
Independent third-party auditors should conduct regular smart contract audits to identify vulnerabilities and recommend mitigation strategies. This can aid in identifying and addressing potential attack vectors before they are exploited by attackers.
We may not have prevented the occurrence of this hack, however the impact or aftermath of this attack could have been significantly reduced if the team associated with ASKACR Token had set up a dedicated cover pool in the Neptune Mutual marketplace. We offer coverage to users who have suffered a loss of funds or digital assets occurring as a result of smart contract vulnerabilities owing to our parametric policies.
Users who purchase the available parametric cover policies do not need to provide loss evidence in order to receive payouts. Payouts can be claimed as soon as an incident is resolved through the incident resolution system. At the moment, our marketplace is available on two popular blockchain networks, Ethereum, and Arbitrum.
Neptune Mutual's security team would also have evaluated the platform for DNS and web-based security, frontend and backend security, intrusion detection and prevention, and other security considerations.
Reference Source BlockSec
