QuillHash
Published in

QuillHash

ShadowFi $301K Burn function Exploit Analysis| QuillAudits

Summary:

On the 2nd of September, 2022, ShadowFi was exploited due to a vulnerability present in their LP contract. The exploit was due to public visibility of the burn function, which allowed any user to burn the tokens. Around 1078 BNB i.e. $301K was stolen by the attackers and the funds were transferred to Tornado cash.

Introduction to ShadowFi:

ShadowFi is DeFi protocol that believes in the protection of personally identifiable information from corporate and global financial entities. ShadowFi transactions require zero personal details. Some of its products are ShadowCash, ShadowSwap, Fintech NFTs, ShadowPay, etc. You can find more about ShadowFi here.

Vulnerability Analysis & Impact:

The vulnerability was present in the LP contract of the SDF token. The cause of this attack was a public burn function, which allowed anyone to call the burn function and burn the tokens. This created inflation and hence increased the worth of the token. Then attacker swapped the token at an inflated price until the pool is exhausted and gained a profit of around 1078 BNB.

Vulnerable Code:

The above code can be found here

Txn Hash: https://bscscan.com/tx/0xe30dc75253eecec3377e03c532aa41bae1c26909bc8618f21fb83d4330a01018

Hacker’s Address: https://bscscan.com/address/0x4daa3135b016ac37c46ed03423d314caea89ff5e

Attack Steps:

  1. First, the attacker called the burn function, which was publicly callable, and burned almost 10.3M SDF in the pair of SDF LP contracts.

2. Now, the attacker synced the price of the SDF token in the contract, which inflated the price of the SDF tokens.

3. Then the attacker swapped the SDF token with wBNB at the inflated price. The attacker swapped around 8.4 SDF tokens for 1078 wBNB(approx $301K).

After the Exploit :

On 2nd September, ShadowFi announced this exploit to the community and started their investigation. And later on 3rd September, they published a report on this attack. The report can be found here.

Status of Stolen Funds:
All the stolen funds were transferred to Tornado Cash after the attack. You can find the transaction details here.

Price Impact:
After the attack, the price of SDF tokens fell tremendously, but it didn’t take long to rise again. Currently (as of writing this blog), the price of $SDF Token is $0.01068 at CoinMarketCap.

How could they have prevented the Exploit?

ShadowFi mentions _transferFrom does not utilize the allowance requirement check and public burn as the cause of the attack. The attack could have been easily prevented by implementing correct access controls like onlyOwner or by making the function internal with correct access control logic.

Buggy code:

function burn(address account, uint256 _amount) public {
_transferFrom(account, DEAD, _amount);

Secure code:

function burn(address account, uint256 _amount) public onlyOwner {
_transferFrom(account, DEAD, _amount);

Reference:

https://twitter.com/CertiKAlert/status/1565549825889914881
https://medium.com/@ShadowFi/shadowfi-the-exploit-44733d1f8cb0

Similar projects secured by QuillAudits:

Web3 security- Need of the hour

Why QuillAudits For Web3 Security?

QuillAudits is well-equipped with tools and expertise to provide cybersecurity solutions saving the loss of millions in funds.

Want more Such Security Blogs & Reports?

Connect with QuillAudits on :

Linkedin | Twitter | Website | Newsletter | Discord | Telegram

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store