SolidityScan
HACK ANALYSIS 2 min read

Snooker Token Hack Analysis

Snooker Token Hack Analysis

Overview:

On May 10, 2023, the Snooker(SNK) token was exploited due to a business logic issue resulting in a total loss of $190K.

Smart Contract Hack Overview:

Vulnerable contract: 0xa3f5ea
Attackers address: 0x6b67f9
Exploit contract: 0xc04c49
Attacker Transactions:0x7394f2

Attackers Transaction

Decoding the Smart Contract Vulnerability.

  • The exploiter set up numerous contracts and deposited 10 $SNK into each contract 10 days before launching the attack.
  • The hacker created a subcontract (Let us consider it as 0x1abc) and established an invitation relationship with the parent contract using the bindParent() function of the vulnerable smart contract, where the parent contract is the address that was created 10 days ago. (Let us consider 0x2def as an example parent)
bindParent() function
  • The subcontract (0x1abc) called the stake() function, staked a certain amount of SNK tokens, and set the inviter to 0x2def.
  • The reward was calculated along with the current inviter’s (childer’s) balance, and the attacker had control over that value via the previous stake, resulting in an abnormally large reward value being calculated.
_getMyChildersBalanceOf() function
  • The reward was withdrawn by 0x2def. The childer contract exits the stake, completing a round of arbitrage.
  • The attacker sends the tokens to the next childer contract, repeating the previous steps multiple times to make a significant profit.

Mitigation and Best Practices:

  • Always validate your code by writing comprehensive test cases that cover all the possible business logic.
  • To prevent such vulnerabilities, the best Smart Contract auditors must examine the Smart Contracts for logical issues. We at CredShields provide smart contract security and end-to-end security of web applications and externally exposed networks. Schedule a call at https://credshields.com/
  • Scan your Solidity contracts against the latest common security vulnerabilities with 130+ detections at SolidityScan

Conclusion:

SolidityScan is an advanced smart-contract scanning tool that discovers vulnerabilities and reduces risks in code. Request a security audit with us, and we will help you secure your smart contracts. Signup for a free trial at https://solidityscan.com/signup

Follow us on our Social Media for Web3 security-related updates.
SolidityScan — LinkedIn | Twitter | Telegram | Discord

DEUS DAO Hack Analysis
$LAND Hack Analysis — Missing Access Control