KaoyaSwap Logic Exploit Analysis | QuillAudits
Summary:
On the 24th of August, 2022 Kaoya Swap (a decentralized transaction protocol deployed on the BSC chain) was attacked. The main cause of the attack was bad logic in the swap function of the contract. The amount stolen was around 37,294 BUSD and 271.2 wBNB, which amounts to approx $118,000.
Introduction to Kaoya Swap:
KaoyaSwap is a BSC Chain deployed decentralized transaction protocol built upon AMM and exchange pools. It has an embedded investment platform that aims to increase the income of liquidity providers. It is deployed on the Binance Smart Chain. KaoyaSwap utilizes funds in the platform’s liquidity pool to execute automatic trading strategies.
Vulnerability Analysis & Impact:
The Vulnerability was present in the swapExactTokensForETHSupportingFeeOnTransferTokens
function of the contract. As the function was used to swap Fee-On-Transfers-Tokens, So, before understanding the bug, let's understand what Fee-On-Transfer-Tokens are:
Fee-On-Transfer-Tokens:
Fee-On-Transfer-Tokens are slightly different from ERC20 tokens. These are ERC20 tokens that charge a fee for every transfer()
or transferFrom()
. These tokens implement the typical ERC20
interface. However, when calling the transfer
and transferFrom
methods, the actual amount the receiver will get will be smaller than the sent amount.
Further details can be found here.
Exploit Txn hash: https://bscscan.com/tx/0xc8db3b620656408a5004844703aa92d895eb3527da057153f0b09f0b58208d74
Vulnerable code:
Analyzing Vulnerable Code:
The swapExactTokensForETHSupportingFeeOnTransferTokens
function calculates the balance difference of the last pair before and after the swap as the amountOut
and then it transfers amountOut
to the user directly.
This logic won’t cause any problem when the last pair just appear once in the swap path. However, if the last pair appears multiple times in the swap path, it will miscalculate the amount to be transferred to the users.
The Attack Process:
- First, the attacker designed a swap path that included two self-constructed tokens, i.e. tokenA and token B. The swap path was [A, wBNB, B, A, wBNB], which resulted in the tokenA and wBNB pair being included twice in the swap path.
2. The first swap (tokenA → wBNB) and the second swap (second tokenA → wBNB) introduced the wBNB balance difference of the pair. As a result, both parts were included in the router, which led the router contract to transfer more wBNB than the exact amount to the attacker.
3. The attacker borrowed a flash loan of 1800 wBNB. After that, he added liquidity to newly constructed token pairs, i.e. [tokenA, wBNB] pair and [tokenB, wBNB] pair. After the swap, he got 1019 wBNB, and after he removed liquidity, he got 1029 wBNB. As a result, the Attacker profited around 271 wBNB and 37,295 BUSD, which amounts to approx $118,000.
After the Exploit :
Kaoya Swap is yet to announce any official statement regarding the attack. Further BlockSec identified the following addresses that made a profit out of this attack:
https://etherscan.io/address/0x8df3dd42bd51dd637580be6f15f651608b749ca1
https://etherscan.io/address/0x236b6150d7cc095d923fc0463977b71e84c891e5
https://etherscan.io/address/0xb77e7ee8e131d7425112df0f0f3c10e1c2208589
https://etherscan.io/address/0xe946bc154baa243b48fcf156977910bbb236df09
https://etherscan.io/address/0x50fc7d751cdde692682a04f59c2c9be2530b4d28
How Could They Have Avoided the Exploit?
The attack could have been mitigated by properly implementing the logic of the swap function for fee-on-transfer-tokens. These fee-on-transfer swap functions succeed by adjusting the “amountOutMin” parameter to check the recipient amount rather than the sending amount when calculating the invariant.
Further Reference:
Web3 security- Need of the hour
Why QuillAudits For Web3 Security?
QuillAudits is well-equipped with tools and expertise to provide cybersecurity solutions saving the loss of millions in funds.