Hdr_About.jpg

Detail Analysis

link.png

Date:

Status:

Count:

Contributor:

March 13, 2022

info.png

Verified

1

zerofriction.io

Loss Amount:

1,700,000

info.png

Recovered Amount:

-

Currency:

Dollars

KYC By:

Audit By:

None

None

info.png

Website:

No data

Twitter:

Discord:

Telegram:

Medium:

No data

Github:

No data

info.png

Key Indicators

Platform:

Type:

Category:

Method:

Binance Smart Chain

Project

Metaverse

Contract Vulnerabilities

Extended Method:

Reentrancy attack

Data Sources:

info.png

Paraluni is a metaverse project.

According to PeckShield, the hack is made possible due to a reentrancy bug (introduced by the use of a crafted token contract) in the depositByAddLiquidity() function, which somehow doubles the credits the hacker is able to claim as one can see in the below image.

https://pbs.twimg.com/media/FNsTBxoVIAAcr-0?format=jpg&name=large
https://twitter.com/peckshield/status/1502815435498176514?s=20&t=U935aRvh_MjqeyZqMJZqpQ

The depositByAddLiquidity function calls an internal depositByAddLiquidityInternal function that transfers the attacker’s deposit into the appropriate pool. However the pool ID value (_pid) used to look up the appropriate pool is not validated internally. The attacker takes advantage of this by directing this to an attacker-controlled contract, whose malicious transferFrom function is called. This function then exploits the reentrancy vulnerability to call the Masterchef deposit function before the internal state is updated.

Approximately 230 ETH has been funneled into Tornado Cash.


info.png

DISCLAIMER: While Zero Friction LLC has used the best efforts in aggregating and maintaining this database, Zero Friction LLC makes no representations or warranties with respect to the accuracy or completeness, and specifically disclaim any implied warranties of merchantability or fitness for any particular purpose. 

Under no circumstances, shall Zero Friction LLC be liable for any loss of profit or funds, any regulatory or governmental penalties, any legal costs, or any other commercial and non-commercial damages, including but not limited to special, incidental, consequential, or other damages from any or all usage of the dataset or information derived from our database.