According to the Beosin EagleEye security risk monitoring, early warning and blocking platform monitoring of the blockchain security audit company Beosin,**, the LibertiVault contract on the Polygon chain was attacked, and the loss of about 123ETH and 56,234USDT worth about 290,000 US dollars, and the Ethereum chain 35ETH and 96223USDT are worth about US$160,000, totaling more than US$450,000. **Technical staff analyzed and found that this attack was caused by a reentrancy vulnerability in the LibertiVault contract.
-
The attacker borrowed 5 million USDT using the flash loan, and called the deposit function of the LibertiVault contract to pledge. The pledge logic will use part of the pledged tokens for exchange, and then calculate the amount of minted coins. The amount of minted coins is based on the contract and the deposit The calculation is based on the ratio of the amount of tokens deposited to the balance before the contract is deposited.
-
The exchange operation swap will call the hacker’s contract. At this time, the hacker re-enters the call deposit for the first time, and re-enters this function for the second time, depositing 2.5 million USDT into the contract.
-
After the second re-entry, the contract will mint coins for the hacker according to the ratio of 2.5 million USDT to the USDT balance of the previous contract. After the first re-entry deposit function is completed, the hacker deposits another 2.5 million USDT into it.
-
At this point, the exchange operation in the outer deposit function is completed, and the contract will mint coins according to the ratio of 2.5 million USDT to the contract USDT balance.
-
The problem lies in the fourth point. Logically speaking, the second calculation of the contract balance should be the previous balance plus the 2.5 million balance entered for the first time as the parameter for this calculation, but here is the In the form of reentry, the contract balance has been obtained at the very beginning, so the parameters have not changed, and the original balance is still used for calculation, resulting in minting a large number of voucher tokens for hackers.
-
Finally, the hacker removed the tokens and returned the flash loan for profit.
Disclaimer: The information on this page may come from third parties and does not represent the views or opinions of Gate. The content displayed on this page is for reference only and does not constitute any financial, investment, or legal advice. Gate does not guarantee the accuracy or completeness of the information and shall not be liable for any losses arising from the use of this information. Virtual asset investments carry high risks and are subject to significant price volatility. You may lose all of your invested principal. Please fully understand the relevant risks and make prudent decisions based on your own financial situation and risk tolerance. For details, please refer to
Disclaimer.
