SolidityScan
HACK ANALYSIS 3 min read

Mosca Hack Analysis

Mosca Hack Analysis

Overview:

On January 8, 2025, the Mosca contract on Binance Smart Chain (BSC) was exploited due to incorrect balance calculations in the exitProgram function. The vulnerability allowed the attacker to withdraw tokens multiple times by exploiting improper state updates. The exploit resulted in a total loss of approximately $19.5K.

Smart Contract Hack Overview:

Fig: Attack Transaction

Decoding the Smart Contract Vulnerability:

  • The root cause of the exploit lies in improper handling of balances and incomplete state updates in the exitProgram function.
Fig: exitProgram Function
  • Specifically, the withdrawAll function calculates the total withdrawal amount using user.balance + user.balanceUSDT + user.balanceUSDC.
Fig: withdrawAll Function
  • However, after executing withdrawAll, only user.balance is reset to 0, leaving user.balanceUSDT and user.balanceUSDC unchanged.
  • This oversight allowed repeated withdrawals when user.balanceUSDT or user.balanceUSDC was non-zero and the rewardQueue was not empty.
Fig: Attack Call Sequence
  • The attacker called the buy function to increase their user.balanceUSDC. Then, they invoked the join function to push their address into the rewardQueue. And executed the exitProgram function multiple times, exploiting the incomplete reset of user.balanceUSDT and user.balanceUSDC.
  • The attacker withdrew tokens repeatedly, ultimately gaining approximately $19.5K.

Mitigation and Best Practices:

  • Ensure that all user balances (user.balance, user.balanceUSDT, user.balanceUSDC) are reset to 0 immediately after withdrawal. This should be done before performing any other state-changing operations to prevent repeated withdrawals.
  • Also, introduce stricter access controls for critical functions such as exitProgram and withdrawAll.
  • Always reset all relevant variables after transactions, especially when handling funds or critical state changes. This helps ensure that once a withdrawal is completed, the user cannot exploit the contract by calling the withdrawal function again using the old balances.
  • To prevent such vulnerabilities, the best Smart Contract auditors must examine the Smart Contracts for logical issues. We at CredShields provide smart contract security and end-to-end security of web applications and externally exposed networks. Our public audit reports can be found on https://github.com/Credshields/audit-reports. Schedule a call at https://credshields.com/
  • Scan your Solidity contracts against the latest common security vulnerabilities with 280+ detections at SolidityScan.
Fig: SolidityScan — Smart Contract Vulnerability Scanner

Conclusion:

SolidityScan is an advanced smart contract scanning tool that discovers vulnerabilities and reduces risks in code. Request a security audit with us, and we will help you secure your smart contracts. Signup for a free trial at https://solidityscan.com/signup

Follow us on our Social Media for Web3 security-related updates.

SolidityScan — LinkedIn | Twitter | Telegram | Discord

MoonHacker Vault Hack Analysis
UniLend Finance Hack Analysis