TrustPad Hack Analysis
TrustPad Hack Analysis
Overview:
On November 6, 2023, TrustPad suffered an attack due to a business logic vulnerability, leading to an approximate loss of ~155K USD.
Smart Contract Hack Overview:
- Attacker address: 0x1a7b15
- Attack Contract: 0x1694d7
- Vulnerable Contract: 0xe613c0
- Attack Transaction: 0x191a34
Decoding the Smart Contract Vulnerability:
- The root issue of the problem is the lack of verification for msg.sender in the
receiveUpPoolfunction. - This vulnerability enabled the attacker to manipulate the newlockstartTime.
- The attacker exploited this by repeatedly calling
receiveUpPool()andwithdraw()to accumulate rewards. - Further, the attacker utilised stakePendingRewards to convert the collected rewards into staking amounts.
- Eventually, the attacker withdrew the accumulated rewards through the
withdraw()function.
Mitigation and Best Practices:
- Always validate your code by writing comprehensive test cases that cover all the possible business logic.
- To prevent such vulnerabilities, the best Smart Contract auditors must examine the Smart Contracts for logical issues. We at CredShields provide smart contract security and end-to-end security of web applications and externally exposed networks. Schedule a call at https://credshields.com/
- Scan your Solidity contracts against the latest common security vulnerabilities with 130+ detections at SolidityScan
Conclusion:
SolidityScan is an advanced smart contract scanning tool that discovers vulnerabilities and reduces risks in code. Request a security audit with us, and we will help you secure your smart contracts. Signup for a free trial at https://solidityscan.com/signup
Follow us on our Social Media for Web3 security-related updates.
SolidityScan — LinkedIn | Twitter | Telegram | Discord