$FFIST Hack Analysis
$FFIST Hack Analysis
Overview:
On July 20, 2023, $FFIST suffered an attack due to a business logic issue leading to a loss of ~110K USD.
Smart Contract Hack Overview:
Decoding the Smart Contract Vulnerability:
- The
_airdrop()function is intended to distribute $FFIST tokens randomly to different addresses. - Unfortunately, the randomness of airdrop addresses can be predicted due to manipulable parameters such as the last airdrop address, block number, from & to addresses.
- Moreover, the number of tokens airdropped to an address is fixed at one token, leading to an imbalance in the pool and causing $FFIST to be consistently set to 1.
- This imbalance allows a small amount of $FFIST tokens to be exchanged for a disproportionately large amount of USD, raising concerns about the fairness and stability of the ecosystem.
Mitigation and Best Practices:
- It is recommended to use a source of randomness that cannot be predicted or manipulated by attackers.
- Always validate your code by writing comprehensive test cases that cover all the possible business logic.
- To prevent such vulnerabilities, the best Smart Contract auditors must examine the Smart Contracts for logical issues. We at CredShields provide smart contract security and end-to-end security of web applications and externally exposed networks. Schedule a call at https://credshields.com/
- Scan your Solidity contracts against the latest common security vulnerabilities with 130+ detections at SolidityScan
Conclusion:
SolidityScan is an advanced smart-contract scanning tool that discovers vulnerabilities and reduces risks in code. Request a security audit with us, and we will help you secure your smart contracts. Signup for a free trial at https://solidityscan.com/signup
Follow us on our Social Media for Web3 security-related updates.
SolidityScan — LinkedIn | Twitter | Telegram | Discord