SolidityScan
HACK ANALYSIS 2 min read

FortuneWheel Hack Analysis

FortuneWheel Hack Analysis

Overview:

On January 10, 2025, the FortuneWheel smart contract deployed on Binance Smart Chain was exploited due to a critical flaw in its swap functionality. The exploit resulted in an estimated loss of nearly $21,000 USD.

Smart Contract Hack Overview:

Attacker address: 0xe40ab1

Vulnerable contract: 0x384b9f

Attack Transaction: 0xd6ba15

Fig:Attack Transaction

Decoding the Smart Contract Vulnerability:

  • The FortuneWheel smart contract contained a vulnerable swapProfitFees function that allowed unrestricted token swapping via PancakeSwap. The flaw arose because the function lacked access control modifiers, making it callable by anyone.
The root cause of the vulnerability
  • The swapProfitFees function facilitated token exchange through PancakeSwap.
  • The attacker exploited the absence of an access check, enabling unauthorized access to this functionality.
  • By first exchanging a significant amount of WBNB to LINK, the attacker manipulated the pool, then invoked the vulnerable function to swap the LINK back to WBNB, profiting from price manipulation.

Mitigation and Best Practices:

  • Functions like swapProfitFees must be restricted to authorized roles using access control mechanisms such as onlyOwner or custom modifiers.
  • Always validate your code by writing comprehensive test cases that cover all the possible business logic.
  • To prevent such vulnerabilities, the best Smart Contract auditors must examine the Smart Contracts for logical issues. We at CredShields provide smart contract security and end-to-end security of web applications and externally exposed networks. Our public audit reports can be found on https://github.com/Credshields/audit-reports . Schedule a call at https://credshields.com/
  • Scan your Solidity contracts against the latest common security vulnerabilities with 225+ detections at SolidityScan.
Fig: SolidityScan — Smart Contract Vulnerability Scanner

Conclusion:

SolidityScan is an advanced smart contract scanning tool that discovers vulnerabilities and reduces risks in code. Request a security audit with us, and we will help you secure your smart contracts. Signup for a free trial at https://solidityscan.com/signup

Follow us on our Social Media for Web3 security-related updates.
SolidityScan — LinkedIn | Twitter | Telegram | Discord

AST Token Hack Analysis
Etherscan X SolidityScan: Empowering Web3 with Advanced Smart Contract Security