Fairyproof’s Analysis of the Attack on eCurve

On December 8, 2021, eCurve, a DAPP deployed on EOS was attacked.

The attacked contract’s address was:

ecurve3pool1.

The hash value of the attack transaction was:

a7392b4e2b3ebc68345c91f538114eeb51cea48584783f2b162b7d4e94f725df

The attacker’s account was:

Itsspiderman

The attacking contract was deployed on the following account:

itsspiderma1

Fairyproof’s security team analyzed the hash value of the attack transaction and summarized the whole process:

The attacker made a deposit of 3.66853 USDCs, 3.669928 DAIs, and 55.1576 USDTs to ecurve3pool1 and obtained 62.103274 TRIPOOL tokens. The attacker converted 46.205931 TRIPOOL tokens to 248 DAIs and 248 USDCs. Bugs that existed in the implementation of staking and withdrawal were exploited by the attacker.

The attacker repeatedly staked and withdrew USDCs and DAIs and eventually staked 900,000 DAIs and 900,000 USDCs.

The attacker withdrew 900,000 DAIs and 900,000 USDCs, obtained 28.22 million TRIPOOL tokens and cashed out the TRIPOOL tokens as follows:

The attacker cashed out 14.72 million TRIPOOL tokens to 20,000 USDCs, 1.05 million DAIs and 1.85 million USDTs.

The attacker converted 1.50 million TRIPOOL tokens to 134,000 USNs in eCurve’s USN pool.

The attacker staked 12 million TRIPOOL tokens to the Pizza application as collateral and borrowed the following assets:

330,000 EOSs

130,000 DFSs

3,933 BOXs

1655 YFCs

35900 TAGs

660,000 USDTs

78.81 million TPTs

454,000 KEYs

10.55 million DAPPs

3.5679 PBTCs

4.61 million CHEXs

1.24 million OGXs

39.629223 ETHs

0.4584 USNs

1.99 million USDCs

8.79 million IQs

1.374 BTCs

2.07 million USDBs

520,000 OUSDs

2346 BOXAIs

0.6914 PETHs

The total exploited assets were valued at around 10 million USDs. At the time of this writing the eCurve contract has been upgraded.

It is worth noting that the attacker’s account was created by “accountcreate” and the transaction fee that was used to launch this attack came from “vuniyuoxoeub”.