Sheep Farm Hack Analysis — Incorrect Registration Implementation

Sheep Farm Hack Analysis — Incorrect Registration Implementation

Overview:

On November 15, 2022, the Sheep Farm, an investment blockchain game, was attacked by a hacker resulting in the loss of approximately 262 $BNB tokens worth $72,000. The root cause of the attack is a vulnerability in one of the SheepFarm contract’s functions, which could be called multiple times to increase the gems yield.

Smart Contract Hack Overview:

• Attacker’s Transaction: 0x8b3e0e
• Attacker’s address: 0x2131c6
• SheepFarm contract: 0x472601
• Vulnerable code: 0x4726010

Decoding the Smart Contract Vulnerability:

• There was a vulnerability in the register () method that evaluated a user’s timestamps for new user registration but did not update the timestamps after registration which allowed the register() method to be abused and new user verification to be bypassed.

• The SheepFarm contract’s register method was called several times. As a result, the attacker kept using the register function to add new gems to their account.

• The attacker consumed stones while gaining the yield attribute by using the upgradeVillage() method.

• Finally, before removing the yield, the attacker executed the sellVillage() method to convert it to money.

Mitigation best practices:

• Proper validation techniques should be implemented to ensure that multiple successive registrations are not allowed. The exploit could have been prevented if the variable neighbor in the register() function was properly validated & the timestamps for users were updated once the registration was done.
• It is also recommended that such values are not passed as parameters because they can be easily manipulated.
• To prevent such vulnerabilities, the best Smart Contract auditors must examine the Smart Contracts for logical issues. We at CredShields provide not only Smart Contract security but also provide end-to-end security of web applications and externally exposed networks. Schedule a call at https://credshields.com/
• Scan your contract against the latest common security vulnerabilities with 130+ patterns at SolidityScan, which includes the detection of Re-entrancy vulnerabilities.

Conclusion:
SolidityScan is an advanced smart-contract scanning tool that discovers vulnerabilities and reduces risks in code. Request a security audit with us, and we will help you secure your smart contracts. Signup for a free trial at https://solidityscan.com/signup