On December 30, BEOSIN’s Eagle Eye alerted that the Sashimi Swap was hacked at 09:06 UTC on December 30, with a total loss of nearly USD 200,000. Regarding this security incident, our security technical team have conducted a brief analysis of the hacking process.
#1 Overview
SashimiSwap is a decentralized trading protocol for multi-chain deployments based on AMM and swap pools. It has an embedded investment platform designed to increase the revenue of liquidity providers and it is deployed on three chains simultaneously: Ethereum, HECO and BSC. SashimiSwap executes automated trading strategies using funds from the platform’s liquidity pool.
#2 Detailed Analysis
Transaction Hash:
0xd6a816cc291b24267c03c23c730a84a2699f32a7cf714c8cbe3e47321c76b08f
Hacker Address: 0xa8189407A37001260975b9dA61a81c3Bd9F55908
Attack Contract: 0x2ccc076d1de2d88209f491c679fa5bde870c384a
The hacker first lent 399.639 WETH through the DVM pair contract to prepare for the attack later.
Then three tokens were created to create transaction pairs later, which are:
A Token Address: 0xf1b43f4e14650ac8c4bb009d9b56eb77c1ae87cd
B Token Address: 0x7a77073c1191f2d2fd31a71c758d44f3de0af831
C Token Address: 0xbacbd121f37557e5ea1d0c4bb67756867866c3fe
Then add fluidity separately.
First add liquidity 1:1 with 1 “B token” and 1 “C token”.
Then add liquidity 1:1 with 1 Weth token and 1 “C token”.
The hacker converted the WETH obtained by flash loan into uni and put it into the wallet to make his first profit.
The hacker then added liquidity 1:1 from 1 WETH to 1 “B token”, and 1:1 from 247 WETH tokens to 247 “A tokens”, at which point the hacker had spent 400 WETH tokens. Then the next step was ready for the profit.
Immediately after, the hacker directly called the swapExactTokensForETHSupportingFeeOnTransferTokens function for profit. The hacker’s swap path was: A => WETH => B => C => WETH.
#3 Summary
By analyzing the codes, we found that swapExactTokensForETHSupportingFeeOnTransferTokens function has a serious logic vulnerability, where the calculation is done based on WETH of the first pair recorded. Then it is possible to swap the WETH in the first pair to the other pairs, thus making profits: amountOut = balanceBefore.sub(balanceAfter).
The hacker then removed the liquidity and gets WETH, and finally the hacker repeated the profit twice with the obtained WETH, and returned WETH tokens lent by flash loan. The total profits nearly $200,000: 6,261.304 uni, 4,466,096 Sashimi and 63,762 usdt.
Contact US
Website: https://beosin.com/
Email:contact@beosin.com
Twitter: https://twitter.com/Beosin_com
Telegram: https://t.me/beosin
Medium:https://medium.com/@Beosin