paraluni-40ParaluniParaluni is a metaverse project. According to PeckShield, the hack is made possible due to a reentrancy bug (introduced by the use of a crafted token contract) in the depositByAddLiquidity() function, which somehow doubles the credits the hacker is able to claim as one can see in the below image. https://pbs.twimg.com/media/FNsTBxoVIAAcr-0?format=jpg&name=large https://twitter.com/peckshield/status/1502815435498176514?s=20&t=U935aRvh_MjqeyZqMJZqpQ The depositByAddLiquidity function calls an internal depositByAddLiquidityInternal function that transfers the attacker’s deposit into the appropriate pool. However the pool ID value (_pid) used to look up the appropriate pool is not validated internally. The attacker takes advantage of this by directing this to an attacker-controlled contract, whose malicious transferFrom function is called. This function then exploits the reentrancy vulnerability to call the Masterchef deposit function before the internal state is updated. Approximately 230 ETH has been funneled into Tornado Cash.

Detail Analysis

< Back

Paraluni

Submit Incident Report

Date:

Status:

Count:

Contributor:

March 13, 2022

Verified

zerofriction.io

Loss Amount:

1,700,000

Recovered Amount:

Currency:

Dollars

KYC By:

Audit By:

None

Website:

No data

Twitter:

https://twitter.com/paraluni?lang=en

Discord:

https://discord.com/invite/paraluni

Telegram:

https://t.me/paraluni

Medium:

No data

Github:

No data

Key Indicators

Platform:

Type:

Category:

Method:

Binance Smart Chain

Project

Metaverse

Contract Vulnerabilities

Extended Method:

Reentrancy attack

Data Sources:

https://coincodecap.com/paraluni-hacked-reportedly-1-7m-lost

Paraluni is a metaverse project.

According to PeckShield, the hack is made possible due to a reentrancy bug (introduced by the use of a crafted token contract) in the depositByAddLiquidity() function, which somehow doubles the credits the hacker is able to claim as one can see in the below image.

https://pbs.twimg.com/media/FNsTBxoVIAAcr-0?format=jpg&name=large
https://twitter.com/peckshield/status/1502815435498176514?s=20&t=U935aRvh_MjqeyZqMJZqpQ

The depositByAddLiquidity function calls an internal depositByAddLiquidityInternal function that transfers the attacker’s deposit into the appropriate pool. However the pool ID value (_pid) used to look up the appropriate pool is not validated internally. The attacker takes advantage of this by directing this to an attacker-controlled contract, whose malicious transferFrom function is called. This function then exploits the reentrancy vulnerability to call the Masterchef deposit function before the internal state is updated.

Approximately 230 ETH has been funneled into Tornado Cash.

DISCLAIMER: While Zero Friction LLC has used the best efforts in aggregating and maintaining this database, Zero Friction LLC makes no representations or warranties with respect to the accuracy or completeness, and specifically disclaim any implied warranties of merchantability or fitness for any particular purpose.

Under no circumstances, shall Zero Friction LLC be liable for any loss of profit or funds, any regulatory or governmental penalties, any legal costs, or any other commercial and non-commercial damages, including but not limited to special, incidental, consequential, or other damages from any or all usage of the dataset or information derived from our database.

< Back