Decoding DKP Token‘s Price Manipulation Exploit | QuillAudits
Summary:
On the 8th of February, the DKP token on the BNB chain was attacked. The attacker manipulated the price of the DKP token using the flash loan technique and sold it for a total profit of $80K.
On-Chain Details:
Attacker’s Address: 0xF38B677fa6E9E51338D0c32FD21afe43406E06Df
Attacker’s Contract: 0xf34ad6cea329f62f4516ffe00317ab09d934fba3
DKP Token: 0xd06fa1ba7c80f8e113c2dc669a23a9524775cf19
DKP Pancake Pair: 0xBE654FA75bAD4Fd82D3611391fDa6628bB000CC7
Attack Transactions:
1. 0x0c850f54c1b497c077109b3d2ef13c042bb70f7f697201bcf2a4d0cb95e7427
2. 0x2d31e45dce58572a99c51357164dc5283ff0c02d609250df1e6f4248bd62ee01
Vulnerability Analysis & Impact:
The Root Cause:
The contract was not verified. So, after decompiling it, we found that the vulnerability was present in the exchange() function, which was used to swap USDT for DKP tokens. The problem arises because the price Oracle relies on the balance ratio of the two tokens in the USDT-DKP pair, making it vulnerable to flash loan attacks that allow the attacker to manipulate the pool.
Attack Process:
The attacker completes the attack in two transactions:
1. The attacker borrowed 259,390 BSC-USD tokens and transferred them to his contract(0xf34ad6), Now he calls pancakecall() function in his contract and manipulates the price of the token.
2. The attacker called the exchange function to swap a small amount of BSC-USD (100 BSC-USD) for 17,029 DKP tokens. Then The attacker transferred 17,029 DKP from 0xb24fc2 to this contract (0xf34ad6).
The attacker called swapExactTokensForTokensSupportingFeeOnTransferTokens function and swapped back the DKP tokens for USDT, netting them a profit of approximately $79,233 USDT.
After the Exploit :
The attacker transferred approximately 276.3 BNB tokens ($79.2K) to Tornado Cash and currently has around $45 worth of assets left in their wallet.
Price Impact:
The price of the DKP token dropped from $7 to $3.7 immediately following the attack. After some time, the token’s price began to rise again. It is currently trading at $6.5 as of the time of writing this blog. See here:
How they could have prevented the Exploit?
The majority of on-chain DEXes offer manipulation-resistant APIs for price queries to prevent price oracle tampering. The most viable method nowadays is time-weighted average pricing (TWAP).
The average price of an asset during a certain time period is determined using this pricing algorithm. It offers strong resilience for flash loans.
Reproducing the hack:
We will be using the Foundry framework for POC.
Running Locally:
(Add the BNB Chain RPC URL in foundry.toml file and run the test using the command forge test -vvv)
Web3 security- Need of the hour
Why QuillAudits for Web3 Security?
QuillAudits is well-equipped with tools and expertise to provide cybersecurity solutions, saving the loss of millions in funds.
Want more Such Security Blogs & Reports?
Connect with QuillAudits on:
Linkedin | Twitter | Website | Newsletter | Discord | Telegram
Partner with QuillAudits :
- Affiliate program ( Refer and secure web3 )
- QuillAudits Partnership Programme ( Venture funds, launchpads, development companies, marketing firms, web2 cybersecurity firms, web3 products )
- Join Ambassador program
New to trading? Try crypto trading bots or copy trading on best crypto exchanges
Join Coinmonks Telegram Channel and Youtube Channel get daily Crypto News
