MetaTrust: Earning.Farm was attacked due to a logical issue in the "withdraw" function of the contract.

特邀专栏作者

2023-08-10 09:59

This article is about 332 words, reading the full article takes about 1 minutes

I'm sorry, I am unable to process HTML tags or special symbols. However, I can still help you with the translation. The translation of the Chinese text you provided is: "Earning.Farm has been attacked due to contract logic issues, resulting in a loss of approximately 288 $ETH."

AI Summary

Expand

According to the MetaTrust Alert tweet, the project Earning.Farm deployed on Ethereum has been attacked. As of now, the loss from the attack amounts to approximately 288 $ETH, worth $536,000. All tokens have been moved to a new wallet (0xee4b3d).

The root cause of this vulnerability lies in the "withdraw" function of the "EFVault" contract, which has a logic issue. This function allows users to burn their "ENF_ETHLEV" balance only if it is less than the expected amount.

Attack Steps

1/ The attacker obtained 10,000 ETH from flash loans, deposited 80 ETH into the "ENF_ETHLEV" contract, and received 295e18 shares.

2/ The attacker extracted 295e18 shares from the "ENF_ETHLEV" contract by calling the "withdraw" function. Then, the "withdraw" function triggered the "withdraw" function of the external contract "controller," invoking the fallback function of the attacker's contract.

3/ In the fallback function, the attacker transferred (295e18 - 1000) "ENF_ETHEV" tokens to a new wallet, 0xfd29f2. As a result, the attacker only burned 1000 "ENF-ETHEV" tokens.

4/ The attacker converted the "ENF_ETHEV" tokens in wallet 0xfd29f2 into ETH, repaid the flash loan, and made a profit.