SolidityScan
HACK ANALYSIS 2 min read

Banana Token Hack Analysis

Banana Token Hack Analysis

Overview:

On September 11, 2023, The launch of the Telegram bot Banana Gun’s native token BANANA faced a huge drop in price due to a business logical vulnerability, with the price of the newly launched BANANA falling from a peak of $8.70 to $0.02 in less than 3 hours after it launched.

Fig: Banana Token price chart since inception

Smart Contract Hack Overview:

Vulnerable Contract: 0xccf5cf

Decoding the Smart Contract Vulnerability:

  • The vulnerability stems from a flaw in the token’s _transfer() function, failing to deduct fees from senders due to a calculation error.
  • As a consequence, the contract mints tokens equivalent to the fees and directs them to its own address for each transaction.
  • The issue arises from the presence of “amount = amount — fees,” which should not be in the code.
  • Initially, “senderBalance — amount” was the correct expression before any modification to the “amount” variable.
  • To rectify this, the subsequent line of code should be “_balances[to] += amount — fees.”
Fig: Root cause of the vulnerability

It’s as if they’re indicating, “We’ll allow you to retain the fee,” and simply printing the fee to the treasury instead of subtracting it from the seller’s balance. Here’s an example of how it works:

  • Initially, the “from” balance is calculated as 1000- (1000–100) = 900.
  • The “to” balance is increased by 900.
  • The treasury receives a boost of 100 tokens.
  • The total change is 100 (from) + 900(to) + 100 (treasury) = 1100 tokens.

Mitigation and Best Practices:

  • Always validate your code by writing comprehensive test cases that cover all the possible business logic.
  • To prevent such vulnerabilities, the best Smart Contract auditors must examine the Smart Contracts for logical issues. We at CredShields provide smart contract security and end-to-end security of web applications and externally exposed networks. Schedule a call at https://credshields.com/
  • Scan your Solidity contracts against the latest common security vulnerabilities with 130+ detections at SolidityScan
Fig: SolidityScan — Smart Contract Vulnerability Scanner

Conclusion:

SolidityScan is an advanced smart contractscanning tool that discovers vulnerabilities and reduces risks in code. Request a security audit with us, and we will help you secure your smart contracts. Signup for a free trial at https://solidityscan.com/signup

Follow us on our Social Media for Web3 security-related updates.
SolidityScan — LinkedIn | Twitter | Telegram | Discord

LeetSwap Hack Analysis
Exactly Protocol Hack Analysis