SolidityScan
HACK ANALYSIS 2 min read

Vista Finance Hack Analysis

Vista Finance Hack Analysis

Overview:

On October 22, 2024, the VISTA Finance contract on Binance Smart Chain (BSC) was exploited due to a flashmint receive error, resulting in an estimated loss of 29K USD.

Smart Contract Hack Overview:

Fig:Attack Transaction

Decoding the Smart Contract Vulnerability:

  • Vista Finance lets users buy ICO tokens with BUSD by giving them staked Vista tokens. Instead of moving the staked tokens to a special contract, it just keeps a record by subtracting the staked tokens from the total amount the user has.
  • The flashLoan function mints tokens at the start and burns them at the end. However, the _burn function directly adjusts the balance in _balances[account], instead of using getFreeBalance, causing incorrect balance calculations.
  • This flaw allowed an attacker to take out a flash loan for 1,000,000 tokens, purchase tokens from the ICO contract with $1,500, and sell them to another address for a profit, bypassing staking restrictions.
  • The attacker was able to sell the staked tokens by using the tokens minted from the flash loan, since the sale process relied on getFreeBalance, which was unaffected by the staked status.
Fig: The root cause of the vulnerability

Mitigation and Best Practices:

  • Ensure proper balance management by using the same method (getFreeBalance) across all functions interacting with token balances, especially in minting and burning operations, to prevent discrepancies with staked tokens.
  • Always validate your code by writing comprehensive test cases that cover all the possible business logic.
  • To prevent such vulnerabilities, the best Smart Contract auditors must examine the Smart Contracts for logical issues. We at CredShields provide smart contract security and end-to-end security of web applications and externally exposed networks. Our public audit reports can be found on https://github.com/Credshields/audit-reports . Schedule a call at https://credshields.com/
  • Scan your Solidity contracts against the latest common security vulnerabilities with 225+ detections at SolidityScan.
Fig: SolidityScan — Smart Contract Vulnerability Scanner

Conclusion:

SolidityScan is an advanced smart contract scanning tool that discovers vulnerabilities and reduces risks in code. Request a security audit with us, and we will help you secure your smart contracts. Signup for a free trial at https://solidityscan.com/signup

Follow us on our Social Media for Web3 security-related updates.
SolidityScan — LinkedIn | Twitter | Telegram | Discord

Ramses Exchange Hack Analysis
DeltaPrime Hack Analysis