SolidityScan
HACK ANALYSIS 2 min read

Poolz Finance Hack Analysis — Still experiencing overflow?

Poolz Finance Hack Analysis — Still experiencing overflow?

Overview:

On March 15th, 2023, a hack on Poolz finance contracts allowed attackers to exploit a vulnerability in the unaudited LockedControl smart contract of Poolz Finance, which resulted in a typical integer overflow problem and a loss of $6,65,000 dollars.

Smart Contract Hack Overview:

Attackers Transaction

Decoding the Smart Contract Vulnerability:

  • The attack began when the CreateMassPools() method was invoked and the attacker provided the attributes and liquidity required to create multiple pools.
  • The GetArraySum() method was called internally by the CreateMassPools() function, which controlled the tokens in the TransferInToken() function, which was used to establish liquidity in the pool.
  • The sum was increased by the getArraySum method and overflowed the array as a result. The attacker used the withdraw feature to send the tokens they had gained into their wallet.
  • The hacker used the same technique for several other tokens and got a sizable profit using tokens like $ESNC, $POOLZ, $DON, $ASW, and others.

Mitigation and Best practices:

  • Use a time-tested and stable pragma version above 0.8.0.
  • As a best practice, while performing an arithmetic operation while doing internal testing, check for overflow and underflow.
  • OpenZeppelin has done a tremendous job developing and reviewing safe libraries to guard against under/overflow vulnerabilities by utilizing the most recent Safe Math Libraries.
  • These libraries are unnecessary after solidity version 0.8.0 since all arithmetic operations are created to automatically revert on overflow and underflow.
  • To protect against such hacks, get your entire code audited on a regular basis.
  • To avoid any possible vulnerabilities, it’s also crucial to keep the code updated often.
  • To prevent such vulnerabilities, the best Smart Contract auditors must examine the Smart Contracts for logical issues. We at CredShields provide smart contract security and end-to-end security of web applications and externally exposed networks. Schedule a call at https://credshields.com/
  • Scan your Solidity contracts against the latest common security vulnerabilities with 130+ detection at SolidityScan including access control vulnerabilities.
SolidityScan — Smart Contract Vulnerability Scanner

Conclusion:

SolidityScan is an advanced smart-contract scanning tool that discovers vulnerabilities and reduces risks in code. Request a security audit with us, and we will help you secure your smart contracts. Signup for a free trial at https://solidityscan.com/signup

Follow us on our Social Media for Web3 security-related updates.
SolidityScan — LinkedIn | Twitter | Telegram | Discord

Anji Eco Hack Analysis — Improper Upgrades
DKP Hack Analysis — Improper Token-Pair Ratio Calculation