SolidityScan
HACK ANALYSIS 2 min read

MineSTM Hack Analysis

MineSTM Hack Analysis

Overview:

On June 6, 2024, MineSTM suffered an attack due to a business logic issue, leading to a total loss of over 13.8K USD.

Smart Contract Hack Overview:

Fig: Attack Transaction

Decoding the Smart Contract Vulnerability:

  • The MineSTM contract’s `sell` function was designed to calculate liquidity based on the reserves of the token pair. This reliance on the reserves for determining token value created a vulnerability.
  • The hacker exploited this vulnerability by first swapping a large amount of tokens. This manipulation significantly altered the reserve amounts used in the liquidity calculations, setting the stage for the exploit.
  • After manipulating the reserves, the hacker called the `sell` function in the MineSTM contract. Due to the altered reserve amounts, the function erroneously calculated a much higher return, allowing the hacker to receive an excessive number of tokens.
  • This manipulation and subsequent execution of the `sell` function resulted in the hacker extracting a large amount of tokens from the contract, leading to a significant financial loss for the token’s ecosystem.
Fig: The root cause of the vulnerability

Mitigation and Best Practices:

  • Instead of relying solely on the reserve amounts for liquidity calculations, integrate a decentralized price oracle to obtain accurate and tamper-proof price data. This prevents manipulation by ensuring that the price used in calculations reflects the true market value.
  • Always validate your code by writing comprehensive test cases that cover all the possible business logic.
  • To prevent such vulnerabilities, the best Smart Contract auditors must examine the Smart Contracts for logical issues. We at CredShields provide smart contract security and end-to-end security of web applications and externally exposed networks. Schedule a call at https://credshields.com/
  • Scan your Solidity contracts against the latest common security vulnerabilities with 130+ detections at SolidityScan
Fig: SolidityScan — Smart Contract Vulnerability Scanner

Conclusion:

SolidityScan is an advanced smart contract scanning tool that discovers vulnerabilities and reduces risks in code. Request a security audit with us, and we will help you secure your smart contracts. Signup for a free trial at https://solidityscan.com/signup

Follow us on our Social Media for Web3 security-related updates.
SolidityScan — LinkedIn | Twitter | Telegram | Discord

Introducing SolidityScan VS Code Plugin: Streamlining Smart Contract Security
VeloCore Hack Analysis