SolidityScan
HACK ANALYSIS 2 min read

$BNO Hack Analysis

$BNO Hack Analysis

Overview:

On July 18, 2023, $BNO suffered an attack on the Binance chain, due to a business logic issue leading to a loss of ~500K USD.

Smart Contract Hack Overview:

Fig: Attack Transaction

Decoding the Smart Contract Vulnerability:

  • The root cause of the attack was identified as an issue with the reward calculation mechanism within the pool that supported both NFT (Non-Fungible Token) and ERC20 token stakes.
  • The pool had an “emergencyWithdraw” function that allowed users to withdraw their ERC20 token stakes instantly. However, crucially, this function did not process or account for NFT stake records.
  • The attacker exploited this flaw by depositing both NFT and ERC20 tokens into the pool and then executing the “emergencyWithdraw” function specifically for their ERC20 tokens. By doing so, the attacker could bypass the reward calculation check, effectively manipulating the system to their advantage.
  • As a result of this manipulation, the attacker was able to clear the “rewardDebt” of the user, gaining access to undeserved rewards and causing substantial financial damage to the pool and its users.
Fig: The root cause of the vulnerability

Mitigation and Best Practices:

  • If a contract supports multiple token standards, ensure that the business logic and math for each token is accounted for, and handled separately.
  • Always validate your code by writing comprehensive test cases that cover all the possible business logic.
  • To prevent such vulnerabilities, the best Smart Contract auditors must examine the Smart Contracts for logical issues. We at CredShields provide smart contract security and end-to-end security of web applications and externally exposed networks. Schedule a call at https://credshields.com/
  • Scan your Solidity contracts against the latest common security vulnerabilities with 130+ detections at SolidityScan.
SolidityScan — Smart Contract Vulnerability Scanner

Conclusion:

SolidityScan is an advanced smart-contract scanning tool that discovers vulnerabilities and reduces risks in code. Request a security audit with us, and we will help you secure your smart contracts. Signup for a free trial at https://solidityscan.com/signup

The Bible of Smart Contract Auditing!
Secure Your Blockchain Data: Best Practices for Privacy