Hackers exploited reentrancy vulnerability to attack Paraluni and made more than $1.7 million, about 1/3 of which has gone to Tornado
At 8:04 (HKT), Paraluni, the metaverse financial project on the BSC chain, was hacked, and the hacker made more than $1.7 million in profit.
1: Attacker funds come from flash loans from PancakeSwap
2: The problem lies in the depositByAddLiquidity method of the MasterCheif contract of the project side. This method does not check whether the token array parameter address memory _tokens matches the LP pointed to by the pid parameter, and does not add a lock when the amount of LP changes.
At present, the account balance of the hacker’s address “0x94bc” on the BSC chain is 3000.01 BNB (about 1.1258 million US dollars), and another 235.45 ETH (about 608,600 US dollars) cross-chain to the ETH network “0x94bc” through cBridge. About 1/3 of the stolen funds (230 ETH) have flowed into Tornado Cash. Zero-hour intelligence reminds everyone that in the contract method involving the change of the amount, we must pay attention to the reentrancy vulnerability, and try to use the reentrancy lock modifier.