CS Token Hack Analysis

CS Token Hack Analysis

Overview:

On May 24, 2023, CS Token was hacked due to business logic vulnerability, leading to an approximate loss of 714K USD

Smart Contract Hack Overview:

• Attackers address: 0x2cdeee
• Vulnerable contract: 0x8BC6Ce
• Attackers Transaction: 0x906394

Decoding the Smart Contract Vulnerability:

• The root cause was that in _transfer(), the burnAmountis calculated from sellAmount, but the issue is that sellAmountwas not updated.

• The attacker borrowed BSC-USD via flashloan and swapped it into $CS.
• The attacker sold 3,000 $CS, which set the sellAmount. By transferring to themselves, the attacker triggered sync(), where the sellAmount from the previous step was used, and the function burned $CS in the pair.

• After the sync(), the sellAmountwas set to 0.
• As a result, the attacker borrowed 80,000,000 BSC-USD, swapped for 80,954,000 BSC-USD, repaid 80,240,000 BSC-USD, and profited 714,000 BSC-USD.

Mitigation and Best Practices:

• Always validate your code by writing comprehensive test cases that cover all the possible business logic.
• To prevent such vulnerabilities, the best Smart Contract auditors must examine the Smart Contracts for logical issues. We at CredShields provide smart contract security and end-to-end security of web applications and externally exposed networks. Schedule a call at https://credshields.com/
• Scan your Solidity contracts against the latest common security vulnerabilities with 130+ detections at SolidityScan.

Conclusion:

SolidityScan is an advanced smart-contract scanning tool that discovers vulnerabilities and reduces risks in code. Request a security audit with us, and we will help you secure your smart contracts. Signup for a free trial at https://solidityscan.com/signup

Follow us on our Social Media for Web3 security-related updates.
SolidityScan — LinkedIn | Twitter | Telegram | Discord