According to Beosin, 2omb’s contract on FTM has suffered a flashloan attack, leading to a gain of 74246.54966 WFTM for the hacker.This attack mainly exploits the vulnerability that the swap fee rate in the RedemptionPair contract is 0 and the controllerFee fee collection occurs after the swap is completed. The amountOut of the user exchange is not affected by the controllerFee fee while the reserve in the contract is reduced, thus affecting the price.
This contract was also audited by Spade Solidity which was also an auditor in the Unicorn Nodes incident.
Here are the steps according to Beosin:
1. Flashloan 139,504 2omb tokens in uniswap’s 2omb-wftm trading pair and send them to the attack contract 0x77a5d0cdd1f4069747d9236b50f09f34b6d5b378.
2. Use the attack contract to split the funds, and swap in RedemptionPair (0x5D59cDaB08C8BbE4986173a628f8305D52B1b4AE) for multiple times.
3. Since in the RedemptionPair contract, the controllerFee will be paid to the controllerFee address only after the swap, the attack contract did not lose any tokens by using 2omb to swap for 2omb (the swap fee is 0). Instead, the price of 2omb in RedemptionPair is getting higher.
4. Swap all the profited 2omb for 26,559.086209850721855366 wftm, of which 23,556 to repay the flashloan, and the net profit is 3,002.210020110719894505 wftm.
DISCLAIMER: While Zero Friction LLC has used the best efforts in aggregating and maintaining this database, Zero Friction LLC makes no representations or warranties with respect to the accuracy or completeness, and specifically disclaim any implied warranties of merchantability or fitness for any particular purpose.
Under no circumstances, shall Zero Friction LLC be liable for any loss of profit or funds, any regulatory or governmental penalties, any legal costs, or any other commercial and non-commercial damages, including but not limited to special, incidental, consequential, or other damages from any or all usage of the dataset or information derived from our database.