SolidityScan
HACK ANALYSIS 2 min read

Sashimi Swap Hack Analysis — Improper Swap & Router Design

Sashimi Swap Hack Analysis — Improper Swap & Router Design

Overview:

Due to an inappropriate swap and the Sashmi router’s architectural design, an attack on the Sashimi swap happened on December 30, 2021, causing a loss of $210,000.

Smart Contract Hack Overview:

Attacker’s transaction

Decoding the Smart Contract Vulnerability:

  • Three fraudulent tokens were produced as part of the attack, which began with a flashloan of 400 ETH from the DVM contract.
  • The attacker then went to the UniswapRouter contract to swap the tokens after creating pairings and adding WETH liquidity on those three tokens.
  • Due to flawed logic in the SwapExactTokensForETHSupportingFeeOnTransferTokens() function, where the calculation was based on the WETH of the first pair recorded made it possible to swap the WETH in the first pair to the other pairs, the attacker deducted 151 WETH during the initial swap when only 1 WETH should have been deducted.
  • The router contract’s connection to the vault contract, which permitted the withdrawal of WETH in the event that the router contract had no remaining balance, constituted a logical defect.
  • The perpetrator acquired significant assets through a series of transactions, repaid the loan, and then disappeared with the remaining funds.

Mitigation and Best Practices:

  • One of the best ways to prevent flash loan attacks is to thoroughly audit and test smart contracts before deploying them. This can help identify vulnerabilities and bugs that could be exploited by attackers.
  • Always ensure that any state changes occur internally first, such as updating balances or calling internal functions before calling external code.
  • To prevent such vulnerabilities, the best Smart Contract auditors must examine the Smart Contracts for logical issues. We at CredShields provide smart contract security and end-to-end security of web applications and externally exposed networks. Schedule a call at https://credshields.com/
  • Scan your Solidity contracts against the latest common security vulnerabilities with 130+ detection at SolidityScan including access control vulnerabilities.
SolidityScan — Smart Contract Vulnerability Scanner

Conclusion:

SolidityScan is an advanced smart-contract scanning tool that discovers vulnerabilities and reduces risks in code. Request a security audit with us, and we will help you secure your smart contracts. Signup for a free trial at https://solidityscan.com/signup

Follow us on our Social Media for Web3 security-related updates.
SolidityScan — LinkedIn | Twitter | Telegram | Discord

Ovix Protocol Hack Analysis — Oracle Price Manipulation
Level Finance Hack Analysis