SolidityScan
HACK ANALYSIS 3 min read

Pine Protocol Hack Analysis

Pine Protocol Hack Analysis

Overview:

On December 22, 2023, Pine Protocol suffered an attack due to a business logic issue due to the shared pools between two different contracts in their protocol, leading to an approximate loss of over 40 ETH.

Smart Contract Hack Overview:

Fig: Attack Transaction

Decoding the Smart Contract Vulnerability:

1) The exploiter capitalized on a flaw in the protocol’s most recent update, where both the old and new versions of their contracts were utilizing the same pool address.

2)This shared pool address between the old and new contract versions led to the execution of fund transfers originating from the same address but targeting different pools.

3) The attacker initiated the process by using NFT tokens as collateral to borrow assets from the new version of the pool. Subsequently, they executed another flash loan from the old version of the pool, utilizing it to repay their initially borrowed assets.

4) Owing to the shared fund pools between the flash loan and NFT lending contract, the repayment was flagged as a flash loan repayment. These steps were iterated multiple times to deplete the assets from the vault.

5) The exploiter proceeded to withdraw ETH from FixedFloat and ChangeNow, followed by laundering 20 ETH valued at $46,082 through Tornado Cash.

Fig: Attack Flow

Mitigation and Best Practices:

  • The vulnerability in Pine Protocol was fixed by deploying a new smart contract version that enforced `whitelistedIntermediaries` checks for flash loan functions, addressing the specific flaw in the old contracts.
  • Additionally, measures such as segregating pool addresses and enhancing security protocols should be implemented to mitigate the risks associated with shared resources and bolster the protocol’s overall security.
  • Always validate your code by writing comprehensive test cases that cover all the possible business logic.
  • To prevent such vulnerabilities, the best Smart Contract auditors must examine the Smart Contracts for logical issues. We at CredShields provide smart contract security and end-to-end security of web applications and externally exposed networks. Schedule a call at https://credshields.com/
  • Scan your Solidity contracts against the latest common security vulnerabilities with 130+ detections at SolidityScan
Fig: SolidityScan — Smart Contract Vulnerability Scanner

Conclusion:

SolidityScan is an advanced smart contract scanning tool that discovers vulnerabilities and reduces risks in code. Request a security audit with us, and we will help you secure your smart contracts. Signup for a free trial at https://solidityscan.com/signup

Follow us on our Social Media for Web3 security-related updates.
SolidityScan — LinkedIn | Twitter | Telegram | Discord

Transit Finance Hack Analysis
How to Start Your Career in Web3 Security?