EarningFarm Hack Analysis
Published in
2 min readAug 24, 2023
Overview:
On August 9, 2023, EarningFarm suffered a reentrancy attack, leading to an approximate loss of ~286k USD.
Smart Contract Hack Overview:
- Attacker Address: 0xee4b3d
- Attack Contract: 0xfe141c
- Vulnerable Contract: 0x863e57
- Attack Transaction: 0x6e6e55
Decoding the Smart Contract Vulnerability:
- The root cause was the abnormal handling of the shares and LP token ENF_ETHLEV, which resulted in the value of the normal shares being overridden.
- The attacker deposited 320 ETH using the “
deposit()
” function, acquiring a significant quantity of ENF_ETHLEV tokens. - Subsequently, the attacker withdrew the initially deposited ETH by utilizing the “
withdraw()
” function. - The attacker then transferred ENF_ETHLEV to another attack contract in the fallback function.
- Due to the faulty judgment, the value of the shares was overridden.
- The attacker only needed to burn a small amount of LP tokens to redeem the 320 deposited ETH.
- Finally, the attacker swapped the remaining
ENF_ETHLEV
for 159 ETH.
Mitigation and Best Practices:
- Use reentrancy-preventive function modifiers, such as Open Zepplin’s Re-entrancy guard
- Always make sure that any state changes occur internally first, such as updating balances or calling internal functions before calling external code.
- To prevent such vulnerabilities, the best Smart Contract auditors must examine the Smart Contracts for logical issues. We at CredShields provide smart contract security and end-to-end security of web applications and externally exposed networks. Schedule a call at https://credshields.com/
- Scan your Solidity contracts against the latest common security vulnerabilities with 130+ detection at SolidityScan including reentrancy vulnerabilities.
Conclusion:
- SolidityScan is an advanced smart-contract scanning tool that discovers vulnerabilities and reduces risks in code. Request a security audit with us, and we will help you secure your smart contracts. Signup for a free trial at https://solidityscan.com/signup
- Follow us on our Social Media for Web3 security-related updates.
SolidityScan — LinkedIn | Twitter | Telegram | Discord