Analysis of the Flash Loan Attack, a hack on the Ocean Life token

It was discovered that the BSC Ocean Life token had been compromised on April 19th, 2023. The attacker lowered the total token supply and manipulated the price using an inefficient mechanism, earning 32 WBNB.

Smart Contract Hack Overview:

• Attackers transaction:0xa21692
• Attacker address:0xfb8e
• Stolen funds address: 0x662D
• OcenaLife Contract code: 0xb5a0c
• Vulnerable code:0xb5a0

Smart Contract Security Flaws Decoded

The attacker obtained 969 WBNB via a flashloan from DPPOracle and afterwards traded them in for OLIFE via the exchange platform PancakeSwap.

The transfer function internally invoked the ‘_reflectFee’ function, reducing the value of _tTotal overall.

The hacker took $WBNB out of the pool via a direct call to swap after the accumulation caused the balance to be significantly larger when computed using balanceOf().

The hacker repaid the 969 WBNB flashloan and sent the 32 WBNB gain to a another address.

Best practises and methods for reducing the impact:

Always make sure that internal state changes — such as updating balances or using internal functions — come first before invoking external code.

Price manipulation attempts can be lessened more effectively with the help of oracles like Chain Links and input validation on certain feed parameters to avoid stale data.

Flash attacks affect security tremendously

What we’ve come to believe is that what flash loans truly enable are flash attacks, which are highly resource-intensive but are financed by flash loans. The recent bZx hacks gave us our first taste of this, but we expect it to be just the beginning.

Flash loans are extremely appealing to attackers for two key reasons.

Many attacks (like oracle manipulation attacks) demand a substantial upfront investment. You’re probably not engaging in arbitrage and are instead engaging in some nonsense if you’re making a profit on $10 million worth of ETH.

The taint for attackers is reduced by flash loans. Even though I already possess that much ether, I would not want to take a chance with my own money if I have a plan to trick an oracle with $10 million in ether. It will be difficult to launder, my ETH will become tainted, and exchangers might refuse my deposits. This is dangerous! But who cares if I take out a $10 million flash loan? The future is bright. Because that is where my loan originated, it is not as though the collateral pool of dYdX will be deemed tainted; rather, the taint on dYdX just sort of dissipates.

Closing Notes

You might not appreciate the fact that the current blockchain security concept includes exchange blacklisting. It’s quite centralised and compact. But it’s a crucial reality that shapes the decision-making process behind these strikes.

Attackers can now succeed without putting any money on the line thanks to flash loans. A potential attacker’s risks are significantly altered by flash loans.