The Analysis of FEGtoken Security Incident: Devil’s in the Details

0x1 Vulnerability Analysis: At First Glance

The vulnerable FEGexPRO contract is deployed on both ETH and BSC, and the vulnerable function of the contract is swapToSwap, as follows:

0x2 Attack Analysis

0x2.1 Preliminary Attack Analysis

We take one attack transaction on BSC as an example to illustrate the attack procedure, and the corresponding attack trace which targets the asset fBNB is briefly summarized as follows:

  • Step 1: preparing funds and fake paths. The attacker borrows the flashloan about 915 BNB from DVM and swaps part of them into 116 fBNB. The attacker then creates a bunch of contracts which will be used as fake paths.
  • Step 2: depositing the initial fund. By depositing 115 fBNB into FEGexPRO contract, the attacker increases his balances2 in the victim contract.
  • Step 3: performing the arbitrary approval. The attacker then invokes the swapToSwap function and passes a fake path as the first parameter, which leads to the FEGexPRO contract approving the path to spend 114 fBNB.
  • Step 4: making another approval by invoking the depositInternal function and the swapToSwap function. The FEGexPRO contract approves another path to spend 114 fBNB.

0x2.2 Advanced Attack Analysis

To answer the question, we shall go back to the swapToSwap function. After carefully examining the code, we found that the trick played here is not only a fake path but also a fake swap, which leads to an inconsistency between the actual value and the recorded one of the victim contract's balance. As a result, the inconsistency can be used to repeatedly make the approval by invoking the depositInternal function to restore the deposit amount of the attacker.

0x3 The Root Cause

Here we summarize the root cause of this attack:

  • First, the arbitrary approval caused by the unverified parameter in the swapToSwap function.
  • Second, the inconsistency between the actual value and the recorded one of the victim contract’s balance due to the fake swap in the swapToSwap function. This is used to repeatedly make the approvals by restoring the deposit amount of the attacker.

0x4 Other Related Attacks

As of this writing, we also observed more related attacks launched by another attacker.

About BlockSec

The BlockSec Team focuses on the security of the blockchain ecosystem, and collaborates with leading DeFi projects to secure their products. The team is founded by top-notch security researchers and experienced experts from both academia and industry. They have published multiple blockchain security papers in prestigious conferences, reported several zero-day attacks of DeFi applications, and released detailed analysis reports of high-impact security incidents.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
BlockSec

BlockSec

1K Followers

The BlockSec Team focuses on the security of the blockchain ecosystem and the research of crypto hack monitoring and blocking, smart contract auditing.