Beosin’s Analysis of the ZEED Exploit : The hacker has self-destructed the contract before transferring funds out

On April 21th, 2022, according to Beosin EagleEye, ZEED’s contract on BNB Chain was exploited for about $100M. Beosin security team analyzed the incident and the findings are shown below.

ZEED Introduction

ZEED is a decentralized financial ecosystem deployed on BNB Chain.

Relevant Information

Transaction hash:

0x0507476234193a9a5c7ae2c47e4c4b833a7c3923cefc6fd7667b72f3ca3fa83a

Hacker address:
0xec14207d56e10f72446576779d9b843e476e0fb0

Hacker contract:

0x05e55d051ac0a5fb744e71704a8fa4ee3b103374

Victim contract:

0xe7748FCe1D1e2f2Fd2dDdB5074bD074745dDa8Ea

Exploitation Flow

1. The hacker transfers to the three trading pairs ZEED, HOR, USDT through YEED respectively;

2. Repeat this operation several times;

3. Since ZEED tokens are calculated by adding or subtracting directly from the balance of the trading pair, this vulnerability can be utilized to increase the balance and get excess rewards from the pair.

Vulnerability Analysis

This attack mainly exploits the fact that ZEED contract directly calculates the balance using rewardFee passed in, but does not use the separate calculation of zedreward, horward, usdtreward, so that the hacker can exploit the calculation vulnerability to profit.

Fund Tracing

As of this writing, the stolen funds are estimated to be $1,043,070. The contract has been self-destructed before the hacker transfers out the funds.

Summary

In response to this incident, Beosin security team recommends:

  1. Do not directly add or subtract trading pairs in tokens with dividends.

  2. Before the project goes live, it is highly recommended to choose a professional security audit company to conduct a comprehensive security audit to avoid security risks.

    If you have need any blockchain security services, please contact us:

    Website Email Official Twitter Alert Telegram LinkedIn

Subscribe to Beosin
Receive the latest updates directly to your inbox.
Verification
This entry has been permanently stored onchain and signed by its creator.