SolidityScan
HACK ANALYSIS 2 min read

Uwerx Hack Analysis

Uwerx Hack Analysis

Overview

On August 2, 2023, Uwerx was hacked due to a business logic vulnerability, leading to an approximate loss of ~176 ETH.

Smart Contract Hack Overview:

Fig: Attack Transaction

Decoding the Smart Contract Vulnerability:

  • Utilizing a flashloan of 20000 ETH, the attacker executed a swap for approximately 5053637 UWERX tokens. Subsequently, around 10 times the original balance of UWERX tokens (~4429817) were transferred to the pool.
  • The UWERX contract initially held a private address variable named “uniswapPoolAddress,” initialised as 0x00…1. By deliberately directing tokens to the actual Uniswap pool, the attacker created an imbalance. This was followed by invoking the skim() function of Uniswap using the address 0x00…1 as the recipient.
  • Within the UWERX contract’s transfer function, adjustments were made to the sender’s balance. Additionally, if the recipient address matched the uniswapPoolAddress variable (0x01), an extra 1% of the original amount was burned.
  • The outcome was an inadvertent burning of an extra 1% of tokens, causing an exploitable imbalance. This imbalance was capitalized on by the attacker, leading to a gain of 176 ETH (approximately $327,000).
Fig: The root cause of the vulnerability

Mitigation and Best Practices:

  • Based on business logic, the “transfer” function in asmart contract must never deduct more tokens than the specified transfer amount from the sender’s account.
  • Always validate your code by writing comprehensive test cases that cover all the possible business logic.
  • To prevent such vulnerabilities, the best Smart Contract auditors must examine the Smart Contracts for logical issues. We at CredShields provide smart contract security and end-to-end security of web applications and externally exposed networks. Schedule a call at https://credshields.com/
  • Scan your Solidity contracts against the latest common security vulnerabilities with 130+ detections at SolidityScan
SolidityScan — Smart Contract Vulnerability Scanner

Conclusion:

SolidityScan is an advanced smart-contract scanning tool that discovers vulnerabilities and reduces risks in code. Request a security audit with us, and we will help you secure your smart contracts. Signup for a free trial at https://solidityscan.com/signup .

Follow us on our Social Media for Web3 security-related updates.
SolidityScan — LinkedIn | Twitter | Telegram | Discord

JPEG’d Hack Analysis
EarningFarm Hack Analysis