NGFS Token Hack Analysis

Overview:

On April 25, 2024, NGFS Token suffered an attack due to an access control issue, leading to a total loss of over 190K USD.

Smart Contract Hack Overview:

• Attacker address: 0xd03d36
• Attack Contract: 0xc73781
• Vulnerable Contract: 0xa60898
• Attack Transaction: 0x8ff764

Fig: Attack Transaction

Decoding the Smart Contract Vulnerability:

The NGFS Token fell victim to a hack shortly following its launch due to improper initialization of the contract by the deployer. The breach unfolded in three simple steps:

• The attacker initiated a call to delegateCallReserves, thereby assigning the uniswapV2Proxy to the attacker’s address.
• Then the attacker gained the ability to manipulate the _uniswapV2Library to any desired address, facilitating access to the crucial third function.
• Leveraging the reserveMultiSync function, the attacker was able to siphon off all funds from the PancakeSwap BSC-USD — NGFS pool to their own address, resulting in a loss of approximately $191k.

Fig: The root cause of the vulnerability

Mitigation and Best Practices:

• Ensure that the contract is initialized correctly before deployment. This involves thorough testing to verify that all variables and functions are set up securely.
• Implement access controls and permission checks on critical functions to prevent unauthorized users from executing them.
• Always validate your code by writing comprehensive test cases that cover all the possible business logic.
• To prevent such vulnerabilities, the best Smart Contract auditors must examine the Smart Contracts for logical issues. We at CredShields provide smart contract security and end-to-end security of web applications and externally exposed networks. Schedule a call at https://credshields.com/
• Scan your Solidity contracts against the latest common security vulnerabilities with 130+ detections at SolidityScan

Fig: SolidityScan — Smart Contract Vulnerability Scanner

Conclusion:

SolidityScan is an advanced smart contract scanning tool that discovers vulnerabilities and reduces risks in code. Request a security audit with us, and we will help you secure your smart contracts. Signup for a free trial at https://solidityscan.com/signup

Follow us on our Social Media for Web3 security-related updates.
SolidityScan — LinkedIn | Twitter | Telegram | Discord