SolidityScan
HACK ANALYSIS 2 min read

DCF Token Hack Analysis

DCF Token Hack Analysis

Overview:

On November 24, 2024, the DCF token on Binance Smart Chain (BSC) was exploited due to a critical flaw in its transfer mechanism, leading to an estimated losses of over $428K USD.

Smart Contract Hack Overview:

Attacker address: 0x00c584

Vulnerable contract: 0xa7e923

Attack Transaction: 0xb37593

Fig:Attack Transaction

Decoding the Smart Contract Vulnerability:

  • The DCF token’s transfer function had a flaw where, when DCF tokens were sent to the USDT-DCF liquidity pool address, 5% of the tokens were automatically converted into USDT and added to the USDT-DCT liquidity pool.
  • This automatic conversion and liquidity addition triggered a swap in the PancakeSwap pool, allowing an attacker to manipulate the price of the DCT token.
Fig: The root cause of the vulnerability
  • The attacker borrowed a large amount of USDT, exchanged it for DCF and DCT tokens, and then transferred DCF to the PancakeSwap liquidity pool, adding liquidity and triggering the price manipulation mechanism.
  • The attacker gained an inflated amount of DCT tokens through the manipulated price and exchanged these tokens for USDT, making a huge profit.
  • Due to an unnecessary burn function in the contract, the PancakeSwap liquidity pair lost nearly all of its DCF tokens, amplifying the overall damage from the exploit.

Mitigation and Best Practices:

  • Ensure that liquidity adding functions, such as those involving swaps and token conversions, are not automatically triggered by simple transfers. Introducing additional validation before executing these functions can prevent unauthorized manipulation.
  • Always validate your code by writing comprehensive test cases that cover all the possible business logic.
  • To prevent such vulnerabilities, the best Smart Contract auditors must examine the Smart Contracts for logical issues. We at CredShields provide smart contract security and end-to-end security of web applications and externally exposed networks. Our public audit reports can be found on https://github.com/Credshields/audit-reports . Schedule a call at https://credshields.com/
  • Scan your Solidity contracts against the latest common security vulnerabilities with 225+ detections at SolidityScan.
Fig: SolidityScan — Smart Contract Vulnerability Scanner

Conclusion:

SolidityScan is an advanced smart contract scanning tool that discovers vulnerabilities and reduces risks in code. Request a security audit with us, and we will help you secure your smart contracts. Signup for a free trial at https://solidityscan.com/signup

Follow us on our Social Media for Web3 security-related updates.
SolidityScan — LinkedIn | Twitter | Telegram | Discord

Polter Finance Hack Analysis
CloberDEX Liquidity Vault Hack Analysis