SolidityScan
HACK ANALYSIS 2 min read

$DEPUSDT and $LEVUSDC Hack Analysis

$DEPUSDT and $LEVUSDC Hack Analysis

OverView

On June 15, 2023, $DEPUSDT and $LEVUSDC suffered an attack, due to an access control vulnerability together leading to a total loss of ~105K USD.

Smart Contract Hack Overview:

Fig: Attack Transaction $DEPUSDT
Fig: Attack Transaction $LEVUSDC

Decoding the Smart Contract Vulnerability:

  • The root cause of the vulnerability was that the smart contract CurveSwap.sol had a public function that enabled the attacker to obtain approval as a spender for $DEPUSDT and $LEVUSDC tokens.
  • The attacker could transfer funds through an arbitrary authorization via the approveToken() function.
Fig: The root cause of the vulnerability
  • Consequently, the attacker effectively acquired the necessary permissions to access and manipulate the funds associated with the contract, establishing full control over them.

Mitigation and Best Practices:

  • Introduce an access control mechanism that restricts the ability to perform certain operations only to authorized addresses or roles within the project. This ensures that only trusted entities can initiate the process.
  • Apply function modifiers to validate the permissions of the caller before executing critical operations. It is encouraged to utilize libraries from OpenZeppelin to ensure the usage of the “onlyOwner” modifier.
  • Always validate your code by writing comprehensive test cases that cover all the possible business logic.
  • To prevent such vulnerabilities, the best Smart Contract auditors must examine the Smart Contracts for logical issues. We at CredShields provide smart contract security and end-to-end security of web applications and externally exposed networks. Schedule a call at https://credshields.com/
  • Scan your Solidity contracts against the latest common security vulnerabilities with 130+ detections at SolidityScan
SolidityScan — Cloud-based Smart Contract Security Scanner

Conclusion:

SolidityScan is an advanced smart-contract scanning tool that discovers vulnerabilities and reduces risks in code. Request a security audit with us, and we will help you secure your smart contracts. Signup for a free trial at https://solidityscan.com/signup

Follow us on our Social Media for Web3 security-related updates.
SolidityScan — LinkedIn | Twitter | Telegram | Discord

Sturdy Finance Hack Analysis
Pawnfi Hack Analysis