SolidityScan
HACK ANALYSIS 2 min read

Live crypto hack ($LCP) analysis — Improper Access Control

Live crypto hack ($LCP) analysis — Improper Access Control

Overview:

A hack on the LiveCryptoParty project that took place on February 5th, 2023, and resulted in the loss of 180K LCP tokens due to a flaw in the transfer ownership function that enabled external addresses to execute the function and take ownership of the LCP contract.

Smart Contract Hack Overview:

Attacker’s transaction

Decoding the Smart Contract Vulnerability:

  • It was identified that the function “_transferOwnsership()” was vulnerable to access control violations. It was declared external, allowing external contracts and users to communicate with the transfer ownership function directly.
  • Anybody could use the `_transferOwnership` function and take ownership of the LPC contract and drain funds because there was no caller restriction, and the external address was not properly validated.
  • The attacker then authorized the withdrawal of funds to his attack contract address and exchanged the LCP token with its BNB counterpart.

Mitigation and Best Practices:

  • Use an access control modifier that checks whether the caller is an authorized user (such as the current owner of the contract). The modifier “onlyowner” can be used for this purpose which is already defined in the contract.
  • Make the owner variable private if it’s supposed to be kept hidden from external users.
  • To prevent such vulnerabilities, the best Smart Contract auditors must examine the Smart Contracts for logical issues. We at CredShields provide smart contract security and end-to-end security of web applications and externally exposed networks. Schedule a call at https://credshields.com/
  • Scan your Solidity contracts against the latest common security vulnerabilities with 130+ detection at SolidityScan including access control vulnerabilities.
SolidityScan — Smart Contract Vulnerability Scanner

Conclusion:

SolidityScan is an advanced smart-contract scanning tool that discovers vulnerabilities and reduces risks in code. Request a security audit with us, and we will help you secure your smart contracts. Signup for a free trial at https://solidityscan.com/signup

Follow us on our Social Media for Web3 security-related updates.
SolidityScan — LinkedIn | Twitter | Telegram | Discord

Platypus Stablecoin USP Hack Analysis — Withdraw funds without paying the debt
Cryptoninja World NFT hack Analysis — Improper Access control