SolidityScan
HACK ANALYSIS 3 min read

MetaPoint Hack Analysis — Public Asset Transfer Approval

MetaPoint Hack Analysis — Public Asset Transfer Approval

Overview:

The project lost over $920k as a result of an attack on Metapoint on the BSC network on April 12, 2023. The public approve feature, which gave hackers access to all user assets and direct payment transfers, was discovered to be the hack’s primary cause.

Smart Contract Hack Overview:

Attacker’s fund deposit transactions

Decoding the Smart Contract Vulnerability:

  • The attacker contract used the approve() method repeatedly to authorize their address to transfer cash on behalf of other users.
  • The attacker authorized the exploit contract in order to gain the entire allowance of the user’s POT deposit contract, and subsequently sold the user’s tokens kept in the contract.
  • Because the approve() method was public, anybody could call and approve other users’ payments, resulting in a $920K loss to the project. It is very critical to have effective access restrictions, the contract code should be publicly available, and fully reviewed.

Mitigation and Best Practices:

  • Access control modules are provided by OpenZeppelin for creating role-based access control. Its application is simple: for each role that you wish to design, you will create a new role identifier that will be used to grant, revoke, and verify if an account has that role.
  • To do this, we may utilize the Ownable library from Openzeppelin. When a function call is made, OpenZeppelin’s Ownable defines modifiers like “onlyOwner” to determine if the user is the owner of the contract.
  • Making code available to the public improves contract confidence and could have helped white-hat hackers and auditors find and disclose vulnerabilities before they were exploited.
  • To prevent such vulnerabilities, the best Smart Contract auditors must examine the Smart Contracts for logical issues. We at CredShields provide smart contract security and end-to-end security of web applications and externally exposed networks. Schedule a call at https://credshields.com/
  • Scan your Solidity contracts against the latest common security vulnerabilities with 130+ detection at SolidityScan including access control vulnerabilities.
SolidityScan — Smart Contract Vulnerability Scanner

Conclusion:

SolidityScan is an advanced smart-contract scanning tool that discovers vulnerabilities and reduces risks in code. Request a security audit with us, and we will help you secure your smart contracts. Signup for a free trial at https://solidityscan.com/signup

Follow us on our Social Media for Web3 security-related updates.
SolidityScan — LinkedIn | Twitter | Telegram | Discord

SushiSwap Hack Analysis — Improper Router Approve Parameters
Yearn finance Hack Analysis — Misconfigured yUSDT Mint