How Was NeverFall Project Exploited?
Learn how the NeverFall project was exploited, which resulted in a loss of $74,250.
TL;DR
On May 2, 2023, the NeverFall project on the BNB chain was exploited due to price manipulation, resulting in a loss of approximately $74,250.
Vulnerability Assessment
The root cause of the vulnerability is due to the flawed calculation that relies on the balance of the corresponding PancakeSwap pair.
Steps
Step 1:
We attempted to analyze the attack transaction executed by the exploiter.
Step 2:
In the `sell` function of their contract, the liquidity to be removed gets calculated based on the token balance of the pair.
function sell(uint256 amount) public returns(uint256){
super._transfer(msg.sender, address(this), amount);
//撤池子 退给用户U
uint256 balanceNF = this.balanceOf(uniswapV2Pair);
uint256 pairTotalSupply = IERC20(uniswapV2Pair).totalSupply();
uint256 needLiquidity = amount * pairTotalSupply / balanceNF;
uint256 beforeU = IERC20(usdtAddress).balanceOf(address(this));
removeLiquidity(needLiquidity,amount * 90 / 100,0);
uint256 afterU = IERC20(usdtAddress).balanceOf(address(this));
uint256 outU = afterU - beforeU;
IERC20(usdtAddress).safeTransfer(msg.sender, outU * sellFee / 100);
//营销
IERC20(usdtAddress).safeTransfer(marketingAddress,outU * sellMarketingFee / 100);
emit SellNF(msg.sender,amount,outU);
return outU * sellFee / 100;
}Step 3:
The exploiter was able to trick the contract into burning a huge amount of liquidity using a flash loan and performing a large swap on the pair.
Step 4:
The attacker took a flash loan of 1.6 million $BUSD and used 200,000 $BUSD to buy approximately 75.47 million $NeverFall tokens via buy function in the Never Fall contract.
Step 5:
The buy function added liquidity to the contract with 90% $BUSD deposited by the user and $NeverFall tokens. The remaining 1.4 million $BUSD is then swapped for $NeverFall in the BUSD-Never Fall pool, and the held $NeverFall tokens are sold using the `sell` function.
Step 6:
The attacker repaid the flash loan, after which the profit of approximately 74,250 $BUSD was swapped for BNB and then laundered to Tornado Cash.
Solution
The attack succeeded because the attacker was able to manipulate the price of the token by exploiting a flawed calculation scheme. This exploit could have been prevented to a greater extent if the token price didn't rely on the balance of the corresponding PancakeSwap pair.
We may not have prevented the occurrence of this hack, however the impact or aftermath of this attack could have been significantly reduced if the team associated with NeverFall Project had set up a dedicated cover pool in the Neptune Mutual marketplace. We offer coverage to users who have suffered a loss of funds or digital assets occurring as a result of smart contract vulnerabilities owing to our parametric policies.
Users who purchase the available parametric cover policies do not need to provide loss evidence in order to receive payouts. Payouts can be claimed as soon as an incident is resolved through the incident resolution system. At the moment, our marketplace is available on two popular blockchain networks, Ethereum, and Arbitrum.
Neptune Mutual's security team would also have evaluated the platform for DNS and web-based security, frontend and backend security, intrusion detection and prevention, and other security considerations.
About Us
Neptune Mutual project safeguards the Ethereum community from cyber threats. The protocol uses parametric cover as opposed to discretionary insurance. It has an easy and reliable on-chain claim process. This means that when incidents are confirmed by our community, resolution is fast.
Join us in our mission to cover, protect, and secure on-chain digital assets.
Official Website: https://neptunemutual.com
Blog: https://neptunemutual.com/blog/
Twitter: https://twitter.com/neptunemutual
Forums: https://community.neptunemutual.com/
Telegram: https://t.me/neptunemutual
Discord: https://discord.gg/2qMGTtJtnW
YouTube: https://www.youtube.com/c/NeptuneMutual
LinkedIn: https://www.linkedin.com/company/neptune-mutual
