UPS Token Hack Analysis




On April 9, 2024, UPS Token suffered an attack due to a business logic issue, leading to an approximate loss of over 28K USD.

Smart Contract Hack Overview:

Fig: Attack Transaction

Decoding the Smart Contract Vulnerability:

  1. The UPS token has been exploited due to a flawed transfer implementation.
  2. When transferring tokens to a PancakeSwap pair, the transfer function burns tokens at the pair and calls the “sync” function.
  3. Exploiting this flaw, a hacker managed to reduce the UPS reserve in the PancakeSwap pair.
  4. The hacker repeatedly transferred tokens to the pair and called the “skim” function, resulting in a significant reduction of the UPS reserve.
  5. With the UPS reserve diminished, the hacker was able to drain BUSD from the pair using only a few UPS tokens.
Fig: The root cause of the vulnerability

Mitigation and Best Practices:

  • Implement a modification to the transfer function of the UPS token contract to prevent token burns and sync function calls when transferring to PancakeSwap pairs.
  • Always validate your code by writing comprehensive test cases that cover all the possible business logic.
  • To prevent such vulnerabilities, the best Smart Contract auditors must examine the Smart Contracts for logical issues. We at CredShields provide smart contract security and end-to-end security of web applications and externally exposed networks. Schedule a call at
  • Scan your Solidity contracts against the latest common security vulnerabilities with 130+ detections at SolidityScan
Fig: SolidityScan — Smart Contract Vulnerability Scanner


SolidityScan is an advanced smart contract scanning tool that discovers vulnerabilities and reduces risks in code. Request a security audit with us, and we will help you secure your smart contracts. Signup for a free trial at

Follow us on our Social Media for Web3 security-related updates.
SolidityScan — LinkedIn | Twitter | Telegram | Discord