HACK ANALYSIS 2 min read

phxProxy Hack Analysis — Improper delegate call

Overview:

On January 28, 2023, a hack occurred on the phxProxy contract due to improper validation on the delegateCallSwap() function call, allowing an attacker to force the swap to purchase the fake BUSD tokens for real, resulting in a loss of 1.2K BUSD.

Smart Contract Hack Overview

Attacker’s address:0x80d98a
Attacker’s Transaction: 0x4fa408
Exploiters contract:0xd329e
phxProxy contract code: 0x66be8
Fake BUSD Token:0x890a0

Decoding the Smart Contract Vulnerability

The attacker first created fake BUSD token pair and then moved them to Pancake Swap using phxProxy.

The attacker then provided the fake BUSD token pair into the calldata of the phxProxy delegateCallSwap() method, after which the phxProxy purchased all of the tokens.

The attacker then deleted all previous liquidity and withdrew all tokens, making a profit of 1.2k BUSD.

Mitigation and Best Practices:

There should be input validation on all the critical parameters.
Access control must be properly implemented, and only the owner of that contract should be allowed to perform critical transactions.
Verify and sanitize user inputs at all times.
To prevent such vulnerabilities, the best Smart Contract auditors must examine the Smart Contracts for logical issues. We at CredShields provide smart contract security and end-to-end security of web applications and externally exposed networks. Schedule a call at https://credshields.com/
Scan your Solidity contracts against the latest common security vulnerabilities with 130+ detection at SolidityScan including access control vulnerabilities.

SolidityScan — Smart Contract Vulnerability Scanner

Conclusion:

SolidityScan is an advanced smart-contract scanning tool that discovers vulnerabilities and reduces risks in code. Request a security audit with us, and we will help you secure your smart contracts. Signup for a free trial at https://solidityscan.com/signup

phxProxy Hack Analysis — Improper delegate call