TL;DR#
On February 07, 2023, an attacker exploited LianGo protocol to steal funds worth approximately $1.62 million.
Introduction to LianGo Protocol#
LianGo $LGT, according to the team, is the first decentralized payment consumption mining business application agreement for web3.
Vulnerability Assessment#
The root cause of the vulnerability is the compromise of the private key associated with the address of the LGT Pool owner.
Steps#
Step 1:
The LP token address in the LGT Pool contract was modified due to the compromise of the private key.
Step 2:
After this, the owner of the LGT contract changed the LP token contract to this malicious contract, which was initially deployed on Jan 07, 2023 as seen from this transaction.
Step 3:
We attempted to analyze the attack transaction executed by the exploiter.
Step 4:
The LGT pool owner added a malicious pool containing fake LP tokens that is in the control of the attacker, allowing them to obtain an unlimited supply of fake LP tokens.
Step 5:
The attacker created a contract and then deposited 614,885,935,211,982,505,426,257,800,000,000 fake LP tokens, as viewed from the attack transaction.
Step 6:
The attacker minted 137,513,751,375,137,500,000,000 fake LP tokens to the LGT pool in order to increase the supply of the fake LP token.
Step 7:
The attacker invoked the withdraw function of the contract in order to drain 6,148,859.35 $LGT tokens from within the contract.
Step 8:
The attacker then used PancakeSwap to swap these $LGT tokens to BSC-USD.
Step 9:
At the time of this writing, the attacker controlled address has approximately $1,626,574 worth of funds.
Aftermath#
Following the incident, the price of the $LGT token fell by more than 90%, and was trading at $0.09427 at the time of writing.
Solution#
To limit such attacks to a greater extent, it is recommended to use hardware wallets to store private keys offline. Using multi-signature wallets can add an additional layer of security. Cold storage, which involves storing the private keys on a machine that is not connected to the internet, is also recommended, making them less vulnerable to phishing like attacks.
We may not have prevented the occurrence of this hack, however the impact or aftermath of this attack could have been significantly reduced if LianGo Protocol had set up a dedicated cover pool in the Neptune Mutual marketplace. We offer coverage to users who have suffered a loss of funds or digital assets occurring as a result of smart contract vulnerabilities owing to our parametric policies.
Users who purchase the available parametric cover policies do not need to provide loss evidence in order to receive payouts. Payouts can be claimed as soon as an incident is resolved through the incident resolution system. At the moment, our marketplace is available on two popular blockchain networks, Ethereum, and Arbitrum.
Neptune Mutual's security team would also have evaluated the platform for DNS and web-based security, frontend and backend security, intrusion detection and prevention, and other security considerations.
Reference Sources CertiK, BlockSec
