SolidityScan
HACK ANALYSIS 3 min read

Health Token Hack Analysis

Health Token Hack Analysis

Overview:

On October 20, 2022, a price manipulation assault occurred, resulting in a loss of 16 BNB from the pool. Hackers used flash loans to inflate the price of health tokens and then traded them back at the inflated price, earning the attacker a profit of 16 BNB from the pool.

Attacker flash borrowed 40 WBNB and exchanged it for HEALTH tokens. By making 999 transactions with a zero balance, the attacker then took advantage of the health token contract. Due to the drop of numerous tokens in the pool, the price of Health tokens increased. Finally, the attacker sold the health tokens at an inflated price and exchanged them for their WBNB equivalent. The flash loan was successfully completed, which generated a profit of 16 BNB tokens in the attacker’s account.

Smart contract hack overview:

Internal call made by the attacker during the whole hack

Decoding the Smart Contract Vulnerability:

  • To begin, Attacker flash borrowed 40 WBNB and swapped them for 31839221.11 HEALTH tokens.
  • The attacker then made 999 transactions with a zero balance by taking advantage of a flaw in the health token contract.
Vulnerable code responsible for price manipulation in the pool
  • The fraudulent transaction caused a decrease in the number of HEALTH tokens in the pool and increased the price of health tokens.
  • In the end, the attacker sold the inflated health tokens and converted 30565652.26 HEALTH tokens for 56.64 WBNB equivalent.
  • The flash loan was completed successfully, resulting in a profit of 16 BNB tokens in the attacker’s account.

Mitigation best practices:

  • To stop price manipulation attempts, implement checks on transaction variables and securely revoke transactions containing fraudulent deposits and transfers.
  • Before applying any crucial logic to the contract state variables, zero-amount transactions should not be permitted, and their amount should be properly validated.
  • Check for instances of fraudulent deposits regularly.
  • To prevent such vulnerabilities, the best Smart Contract auditors must examine the Smart Contracts for logical issues. We at CredShields provide not only Smart Contract security but also provide end-to-end security of web applications and externally exposed networks. Schedule a call at https://credshields.com/
  • Scan your contract against the latest common security vulnerabilities with 130+ patterns at SolidityScan, which includes the detection of Re-entrancy vulnerabilities.

Attack summary:

The attacker used price manipulation to lower the value of the HEALTH token in the Uniswap pair by sending it 999 times. Due to a bug in the health contract _transfer() method, 16 BNB were lost from the pool as a result. It is strongly advised to follow best practices for smart contracts and have the top blockchain security auditors examine your smart contracts.

Conclusion:
SolidityScan is an advanced smart-contract scanning tool that discovers vulnerabilities and reduces risks in code. Request a security audit with us, and we will help you secure your smart contracts. Signup for a free trial at https://solidityscan.com/signup

Ankr Hack Analysis
GYM Network Hack Analysis