Fairyproof’s Analysis of the Attack on eCurve
--
On December 8, 2021, eCurve, a DAPP deployed on EOS was attacked.
The attacked contract’s address was:
ecurve3pool1.
The hash value of the attack transaction was:
a7392b4e2b3ebc68345c91f538114eeb51cea48584783f2b162b7d4e94f725df
The attacker’s account was:
Itsspiderman
The attacking contract was deployed on the following account:
itsspiderma1
Fairyproof’s security team analyzed the hash value of the attack transaction and summarized the whole process:
The attacker made a deposit of 3.66853 USDCs, 3.669928 DAIs, and 55.1576 USDTs to ecurve3pool1 and obtained 62.103274 TRIPOOL tokens. The attacker converted 46.205931 TRIPOOL tokens to 248 DAIs and 248 USDCs. Bugs that existed in the implementation of staking and withdrawal were exploited by the attacker.
The attacker repeatedly staked and withdrew USDCs and DAIs and eventually staked 900,000 DAIs and 900,000 USDCs.
The attacker withdrew 900,000 DAIs and 900,000 USDCs, obtained 28.22 million TRIPOOL tokens and cashed out the TRIPOOL tokens as follows:
The attacker cashed out 14.72 million TRIPOOL tokens to 20,000 USDCs, 1.05 million DAIs and 1.85 million USDTs.
The attacker converted 1.50 million TRIPOOL tokens to 134,000 USNs in eCurve’s USN pool.
The attacker staked 12 million TRIPOOL tokens to the Pizza application as collateral and borrowed the following assets:
330,000 EOSs
130,000 DFSs
3,933 BOXs
1655 YFCs
35900 TAGs
660,000 USDTs
78.81 million TPTs
454,000 KEYs
10.55 million DAPPs
3.5679 PBTCs
4.61 million CHEXs
1.24 million OGXs
39.629223 ETHs
0.4584 USNs
1.99 million USDCs
8.79 million IQs
1.374 BTCs
2.07 million USDBs
520,000 OUSDs
2346 BOXAIs
0.6914 PETHs
The total exploited assets were valued at around 10 million USDs. At the time of this writing the eCurve contract has been upgraded.
It is worth noting that the attacker’s account was created by “accountcreate” and the transaction fee that was used to launch this attack came from “vuniyuoxoeub”.