SolidityScan
HACK ANALYSIS 2 min read

DKP Hack Analysis — Improper Token-Pair Ratio Calculation

DKP Hack Analysis — Improper Token-Pair Ratio Calculation

Overview:

A flash loan attack on the DKP protocol on February 8th, 2023, caused users of the protocol to lose $80K since the execute() function depended on the balance ratio of the two tokens in the USDT-DKP pair.

Smart Contract Hack Overview:

Attacker’s Transaction

Decoding the Smart Contract Vulnerability:

  • The attack begins with the transmission of a flash loan of 259,390 BSC-USD tokens to the exploit contract.
  • The attacker then called his contract’s `pancakeCall()` method and transferred the BSC-USD tokens from his contract to the exchange() function.
  • The attacker then used the exchange() method to convert 100 BSC-USD to 17,029 DKP tokens, which he later transmitted to the exploit contract.
  • The attacker initiated a new transaction called swapExactTokensForTokensSupportingFeeOnTransferTokens which exchanged the DKP tokens back to their USDT counterpart and profited greatly.

Mitigation and best practices:

  • Price manipulation attempts can be mitigated to a greater extent via oracles such as Chain Links and input validation on those feed parameters to prevent stale data.
  • Use weighted-time algorithms rather than depending heavily on token arithmetics.
  • Check for instances of fraudulent deposits on a regular basis and prevent arbitrage.
  • To prevent such vulnerabilities, the best Smart Contract auditors must examine the Smart Contracts for logical issues. We at CredShields provide smart contract security and end-to-end security of web applications and externally exposed networks. Schedule a call at https://credshields.com/
  • Scan your Solidity contracts against the latest common security vulnerabilities with 130+ detection at SolidityScan including access control vulnerabilities.
SolidityScan — Smart Contract Vulnerability Scanner

Conclusion:

SolidityScan is an advanced smart-contract scanning tool that discovers vulnerabilities and reduces risks in code. Request a security audit with us, and we will help you secure your smart contracts. Signup for a free trial at https://solidityscan.com/signup

Follow us on our Social Media for Web3 security-related updates.
SolidityScan — LinkedIn | Twitter | Telegram | Discord

Poolz Finance Hack Analysis — Still experiencing overflow?
phxProxy Hack Analysis — Improper delegate call