IT Token Hack Analysis

On March 13, 2024, IT suffered an attack due to a business logic flaw, leading to an approximate loss of over 13K USDT.

Smart Contract Hack Overview:

• Attacker address: 0xb49557
• Vulnerable Contract: 0x0f3e75
• Attack Transaction: 0xb33057

Fig: Attack Transaction

Decoding the Smart Contract Vulnerability:

1. The attacker initiated the attack by transferring 2000 USDT to the Pancake pair and subsequently calling the “swap” function of the pair, followed by “sync.” This sequence was repeated multiple times, resulting in a profit of approximately $12k.
2. The root cause of the exploit lies in the “transfer” function. Specifically, when the sender is the pair address (indicating a purchase of IT token), IT tokens are generated and added to the pair through the “mintToPoolIfNeeded” function. The hacker capitalized on this vulnerability.
3. Additionally, the attacker increased the “mintAmount” by transferring 2000 USDT into the pair. This unnecessary functionality facilitated the exploitation of the vulnerability.
4. Towards the conclusion of the attack, the hacker exchanged all USDT for the “ffff” token they created. After an 8-minute interval, they converted their “ffff” tokens back to USDT, resulting in a total gain of $13k.

Fig: The root cause of the vulnerability

Fig: Attack Flow

Mitigation and Best Practices:

• Review the transfer function to ensure that it adequately verifies the sender’s authenticity and prevents unauthorized actions. Specifically, implement checks to prevent the minting of IT tokens when the sender is the pair address.
• Smart contract developers must utilize default ERC20 standards when creating new tokens to enhance security and mitigate potential vulnerabilities.
• Always validate your code by writing comprehensive test cases that cover all the possible business logic.
• To prevent such vulnerabilities, the best Smart Contract auditors must examine the Smart Contracts for logical issues. We at CredShields provide smart contract security and end-to-end security of web applications and externally exposed networks. Schedule a call at https://credshields.com/
• Scan your Solidity contracts against the latest common security vulnerabilities with 130+ detections at SolidityScan

Fig: SolidityScan — Smart Contract Vulnerability Scanner

Conclusion:

SolidityScan is an advanced smart contract scanning tool that discovers vulnerabilities and reduces risks in code. Request a security audit with us, and we will help you secure your smart contracts. Signup for a free trial at https://solidityscan.com/signup

Follow us on our Social Media for Web3 security-related updates.
SolidityScan — LinkedIn | Twitter | Telegram | Discord