SolidityScan
HACK ANALYSIS 2 min read

Sell Token Hack Analysis

Sell Token Hack Analysis

Overview:

On May 14, 2023, Sell Token suffered a security breach caused by a vulnerability that arose due to the smart contract’s failure to properly validate input parameters.

Smart Contract Hack Overview:

Fig: Attackers Transaction

Decoding the Smart Contract Vulnerability:

  • The StakingRewards contract’s Claim() function lacked proper input parameter validation, leading to a root cause for the vulnerability.
  • The attacker exploited this vulnerability by passing a fake token instead of USDT to obtain more rewards than they were entitled to.
  • The StakingRewards contract treated the fake token as USDT, enabling the attacker to manipulate the rewards they received by controlling the fake token and QiQi pairs.
Fig: Attack Flow
  • As a result of this vulnerability, the attacker was over-rewarded due to the lack of input validation in the StakingRewards contract.

Mitigation and Best Practices:

  • There should have been an address whitelisting or input validation to accept only the allowed token addresses.
  • It is recommended to implement thorough input validation checks, including data type, range, and format checking, access control, and other techniques, in the smart contract’s code.
  • Always validate your code by writing comprehensive test cases that cover all the possible business logic.
  • To prevent such vulnerabilities, the best Smart Contract auditors must examine the Smart Contracts for logical issues. We at CredShields provide smart contract security and end-to-end security of web applications and externally exposed networks. Schedule a call at https://credshields.com/
  • Scan your Solidity contracts against the latest common security vulnerabilities with 130+ detections at SolidityScan

Conclusion:

SolidityScan is an advanced smart-contract scanning tool that discovers vulnerabilities and reduces risks in code. Request a security audit with us, and we will help you secure your smart contracts. Signup for a free trial at https://solidityscan.com/signup

Follow us on our Social Media for Web3 security-related updates.
SolidityScan — LinkedIn | Twitter | Telegram | Discord

$LAND Hack Analysis — Missing Access Control
Local Traders Hack Analysis — Missing Access Control