Open in app

Sign in

Write

Sign in

Mastodon

Breaking Down the BH Token Exploit on BNB Chain

Zoumana Cisse
Coinmonks

--

Blockchain technology heralds the promise of absolute security in financial transactions. But intricate vulnerabilities often tell a different story. A recent exploit on BNB Chain stripped the BH Token of an estimated $1.27 million, and it’s imperative that we dissect the event to reinforce the foundations of DeFi security.

Understanding the BH/USDT Price Manipulation

In October 2023, the DeFit space was rocked by a sophisticated attack on BH Token (Transaction Details), which utilized the principles of a price manipulation attack. The modus operandi of these exploits often leverages the unique aspects of smart contracts that calculate token value on-chain.

The Flashloan Entry Point

The attacker employed a flashloan — a collateral-free loan that is borrowed and repaid in the span of a single blockchain transaction. This particular feature offers the nefarious ability to artificially manipulate a token’s value during the transaction’s lifecycle.

Execution Phases

  1. Initial Borrowing: The attacker starts by taking a flashloan on the USDT token.
  2. Perturbing the Pool: The borrowed USDT is then purposely unbalanced against the BH token via a swap on PancakeSwap, thus exploiting the liquidity ratio.
  3. Capitalizing on Induced Slippage: Following the imbalance, the LP tokens are withdrawn at an unfairly advantageous rate.
  4. Conclusion and Cleanup: The loan is repaid, and the profit is moved, in this case through Tornado Cash to obfuscate origins.

The Cost of Manipulation

Remarkably, the attack was executed for a mere $4.16 in transaction fees on the BNB Chain, yet the perpetrator extracted an immense $1.27 million in USDT.

Dissecting the Attack Code: An Autopsy of the Exploit

Below, you will find the exact Proof of Concept (PoC) that was used in this exploit:

// SPDX-License-Identifier: UNLICENSED
pragma solidity ^0.8.10;

// Importing required interfaces and test setups
import "forge-std/Test.sol";
import "./interface.sol";

...

// The setUp function configures the environment for the execution
function setUp() public {
    ...
}

// The testExploit function kicks off the attack simulation
function testExploit() public {
    ...
}

// The DPPFlashLoanCall function handles the flash loan callbacks
function DPPFlashLoanCall(...) external {
    ...
}

// The pancakeCall function is triggered by the PancakeSwap exchange
function pancakeCall(...) external {
    ...
}

// The pancakeV3FlashCallback function receives funds from the flash loans
function pancakeV3FlashCallback(...) external {
    ...
}

// Internal function to handle the token swap
function BUSDTToBH() internal {
    ...
}

This Solidity contract outlines the attack phases against the BH token. The malicious actor used the setUp function to set the environment and fork the mainnet to their advantage. testExploit is the initiating function of the attack, while DPPFlashLoanCall, pancakeCall, and pancakeV3FlashCallback provide callbacks to handle different stages of the flashloan manipulation.

The internal function BUSDTToBH is artfully used to swap tokens and exploit the manipulated exchange rates. The intricate logic and smart use of DeFi's flashloan features proved fatal for the compromised token.

Countermeasures and Preventions

For the keen-eyed and ever-vigilant blockchain security engineer, there are strategic takeaways and defense strategies to be implemented:

  • Implementing Slippage Protection: Smart contracts should be designed to anticipate such attacks by implementing protocols that prevent drastic changes in value within a short period.
  • Leveraging Off-Chain Oracles: Services such as Chainlink offer off-chain data that isn’t vulnerable to on-chain manipulation schemes.
  • Comprehensive Audits: A thorough audit can identify and rectify potential vulnerabilities before they are exploited.

Calling All Blockchain Security Engineers

This exploit serves as a stark reminder that even a seemingly impenetrable system like blockchain can be subverted. The community of blockchain security engineers and auditors has an instrumental role in safeguarding the DeFi ecosystem. If you’re on the frontlines of this battle, consider scrutinizing your smart contracts with the rigor displayed here. Let’s elevate our vigilance, our technology, and our community to ensure the promise of DeFi remains intact.

Follow this conversation further, and for consultations to secure your smart contracts, reach out through the channels below:

Blockchain
Security
Binance
Binance Smart Chain
Cryptocurrency

--

--

Zoumana Cisse
Coinmonks

Written by Zoumana Cisse

100 Followers
Writer for

Crypto enthusiast

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams