Cointime

Cointime

Download App
iOS & Android

SharkTeam: Analysis of the HashFlow Attack Incident

On June 14, 2023, Beijing time, HashFlow fell victim to a hacker attack, resulting in an estimated profit of around $600,000 for the attackers.

SharkTeam conducted a prompt technical analysis of the incident and has summarized security measures to be taken as a precautionary approach. It is our hope that this incident serves as a lesson for future projects, contributing to the strengthening of security defenses within the blockchain industry.

1. Incident analysis

Attacker address: 0xBDf38B7475Ff810325AA39e988fb80E0aA007E84

Attack contract: 0xDDb19a1Bd22C53dac894EE4E2FBfdB0A06769216

Attacked contract: 0x79cdFd7Bc46D577b95ed92bcdc8abAba1844Af0c

Attack transactions:

0xdedda493272b6b35660b9cc9070d2ea32ee61279b821184ff837e0a5752f4042

0xb08f6d3fc70b95223cfffc2c905d9c0467a589e5f652cd193e5c00b4ad329b99

0x08b5f35076beb363a7206b8f9b4a6460f42aa9f998b561582fb4e4cdd6f05dce

1. After deploying the attack contract (0xDDb19a1B), the attacker (0xBDf38B74) proceeded to call the Wooooo function within the attack contract (0xDDb19a1B).

2. The attack contract (0xDDb19a1B) called the function 0x0031b016 of the target contract (0x79cdFd7B) during the attack.

3. The function directly transferred the user's USDT tokens to the attack contract.

2. Vulnerability Analysis

The target contract (0x79cdFd7B) that was attacked is a deprecated HashFlow contract, which was abandoned in May of the previous year and was not open-source. Through reverse engineering, it can be observed that the contract transfers tokens from the "from" address to the "to" address. Based on analysis, it is highly likely that users had granted significant authorization to this contract before May of the previous year. However, after the contract was deprecated, these authorizations were not revoked, and due to potential issues with the restriction logic after deprecation, attackers were able to call functions in the deprecated contract to transfer user assets.

3. Subsequent Developments

After carrying out the attack, the attacker (0xBDf38B74) open-sourced the attack contract and left a message stating, "Before use recover, please revoke first. Your funds are not safe." This message serves as a reminder to users to revoke their authorizations to the targeted contract (0x79cdFd7B) before transferring their funds elsewhere.

The hacker left behind two functions. One function allows users to withdraw all their funds, while the other function leaves 10% of the assets as a reward for the attacker. Currently, users have started withdrawing their funds one by one.

4. Security Recommendations

The occurrence of this incident was due to the fact that the targeted contract (0x79cdFd7B) had received significant user authorizations in the past, and these authorizations were not revoked after its deprecation, resulting in user asset losses. To prevent similar attacks in the future, it is important to follow these precautions during the development process:

(1) Project developers should thoroughly validate and address any potential logic issues that may arise after deprecating a contract.

(2) Users should regularly review their account authorizations for different protocol contracts and promptly revoke authorizations for contracts they no longer interact with or have been upgraded.

(3) Before deploying contract upgrades, it is crucial to collaborate with professional third-party auditing teams to ensure security.

About us

SharkTeam’s vision is to comprehensively protect the security of the Web3 world. The team is composed of experienced security professionals and senior researchers from all over the world. They are proficient in the underlying theory of blockchain and smart contracts, and provide services including smart contract auditing, on-chain analysis, and emergency response. It has established long-term cooperative relationships with key players in various fields of the blockchain ecosystem, such as Polkadot, Moonbeam, polygon, OKC, Huobi Global, imToken, ChainIDE, etc.
Official website: https://www.sharkteam.org/
Twitter: https://twitter.com/sharkteamorg
Discord: https://discord.gg/jGH9xXCjDZ
Telegram: https://t.me/sharkteamorg

Web3 SharkTeam
Comments

All Comments

Recommended for you

  • U.S. Congressman Mike Flood: Looking forward to working with the next SEC Chairman to revoke the anti-crypto banking policy SAB 121

     US House of Representatives will investigate Representative Mike Flood's recent statement: "Despite widespread opposition, SAB 121 is still operating as a regulation, even though it has never gone through the normal Administrative Procedure Act process." Flood said, "I look forward to working with the next SEC chairman to revoke SAB 121. Whether Chairman Gary Gensler resigns on his own or President Trump fulfills his promise to dismiss Gensler, the new government has an excellent opportunity to usher in a new era after Gensler's departure." He added, "It's not surprising that Gensler opposed the digital asset regulatory framework passed by the House on a bipartisan basis earlier this year. 71 Democrats and House Republicans passed this common-sense framework together. Although the Democratic-led Senate rejected it, it represented a breakthrough moment for cryptocurrency and may provide information for the work of the unified Republican government when the next Congress begins in January next year."

  • Indian billionaire Adani summoned by US SEC to explain position on bribery case

    Indian billionaire Gautam Adani and his nephew, Sahil Adani, have been subpoenaed by the US Securities and Exchange Commission (SEC) to explain allegations of paying over $250 million in bribes to win solar power contracts. According to the Press Trust of India (PTI), the subpoena has been delivered to the Adani family's residence in Ahmedabad, a city in western India, and they have been given 21 days to respond. The notice, issued on November 21 by the Eastern District Court of New York, states that if the Adani family fails to respond on time, a default judgment will be made against them.

  • U.S. Congressman: SEC Commissioner Hester Peirce may become the new acting chairman of the SEC

    US Congressman French Hill revealed at the North American Blockchain Summit (NABS) that Republican SEC Commissioner Hester Peirce is "likely" to become the new acting chair of the US Securities and Exchange Commission (SEC). He noted that current chair Gary Gensler will step down on January 20, 2025, and the Republican Party will take over the SEC, with Peirce expected to succeed him.

  • Tether spokesperson: The relationship with Cantor is purely business, and the claim that Lutnick influenced regulatory actions is pure nonsense

     a spokesperson for Tether stated: "The relationship between Tether and Cantor Fitzgerald is purely a business relationship based on managing reserves. Claims that Howard Lutnick's joining the transition team in some way implies an influence on regulatory actions are baseless."

  • Bitwise CEO warns that ETHW is not suitable for all investors and has high risks and high volatility

    Hunter Horsley, CEO of Bitwise, posted on X platform that he was happy to see capital inflows into Bitwise's Ethereum exchange-traded fund ETHW, iShares, and Fidelity this Friday. He reminded that ETHW is not a registered investment company under the U.S. Investment Company Act of 1940 and therefore is not protected by the law. ETHW is not suitable for all investors due to its high risk and volatility.

  • Musk said he liked the "WOULD" meme, and the related tokens rose 400 times in a short period of time

    Musk posted a picture on his social media platform saying he likes the "WOULD" meme. As a result, the meme coin with the same name briefly surged. According to GMGN data, the meme coin with the same name created 123 days ago surged over 400 times in a short period of time, with a current market value of 4.5 million US dollars. Reminder to users: Meme coins have no practical use cases, prices are highly volatile, and investment should be cautious.

  • Victory Securities: Funding Rates halved and fell, Bitcoin's short-term direction is not one-sided

    Zhou Lele, the Vice Chief Operating Officer of Victory Securities, analyzed that the macro and high-level negative impact risks in the cryptocurrency market have passed. The risks are now more focused on expected realization, such as the American entrepreneur Musk and the American "Efficiency Department" (DOGE) led by Ramaswamy. After media reports, the increase in Dogecoin ($DOGE) was only 5.7%, while Dogecoin rose by 83% in the week when the US election results were announced. Last week, the net inflow of off-exchange Bitcoin ETF was US$1.67 billion, and the holdings of exchange contracts and CME contracts remained high, but the funding rates halved and fell back, indicating that the direction of Bitcoin in the short term is not one-sided, and bears are also accumulating strength.

  • ECB board member Villeroy: Falling inflation allows ECB to cut interest rates

     ECB board member Villeroy de Galhau said in an interview that the decline in inflation allows the ECB to lower interest rates. In addition, the slow pace of price increases compared to average wages is also a factor in the rate cut. Villeroy de Galhau emphasized that the ECB's interest rate policy decision is independent of the Fed. Evidence shows that the ECB began to lower interest rates in early June, while the Fed lowered interest rates three months later. With the decline in inflation, we will be able to continue to lower interest rates. Currently, the market generally expects the ECB to cut interest rates by 25 basis points at the next meeting in December, but weaker data increases the possibility of a 50 basis point cut.

  • State Street warns Bitcoin craze could distract gold investors

    George Milling-Stanley, the head of gold strategy at Dominion Bank, warned that the rise of Bitcoin may mislead investors to overlook the stability of gold. He believes that Bitcoin is more like a return-driven investment, while gold provides long-term stability. He also criticized Bitcoin promoters for misleading the market by using the term "mining," and believes that gold is still a more reliable investment choice.

  • Web3 data and AI company Validation Cloud completes $10 million in new round of financing

     Web3 data and AI company Validation Cloud announced a $10 million financing round from True Global Ventures. The company plans to use the funds to expand its AI products and achieve seamless access to Web3 data.

Daily Must-Read

Popular Activities

Delysium $AGI & AI Private Yacht Party

Delysium $AGI & AI Private Yacht Party

March 27 - March 27
Seoul

Popular Tags

Cointime
News
Contents
RSS
Company