What Went Wrong in BYC Token’s $100K Hack?

• Attacker Address: 0x14CfA851ff34952A223Ea7fDF621a05B128411ef 
• Attacker Contract Address: 0x9B227, 0x0x8a3e 
• Vulnerable Contract Address: 0x9A69eB74060e2808344Ac35Bb5825051B89BBE76 
• Attack Transaction: 0x177b87b

1. The autoBurnLiquidity function in the BYC contract is designed to burn tokens by transferring them from the PancakeSwap liquidity pool to the DEAD address.

   

2. The function is triggered when the balance of the pancake pair exceeds a threshold defined by the lpBurnFrequency variable.

3. The value of lpBurnFrequency increases when tokens are transferred to the pancake pair (for example, during exchanges of BYC for USDT).

   

4. The attacker identified that by transferring a large amount of BYC tokens to the pancake pair, he could artificially increase the lpBurnFrequency threshold.

5. Once this threshold was manipulated, the attacker exploited the functionality of autoBurnLiquidity to drain the liquidity pool.

   

6. After the autoBurnLiquidity function execution, the BYC reserve in the liquidity pool was reduced to just 1 BYC.
7. The extreme imbalance in the reserves of BYC and USDT caused the price of USDT relative to BYC to drop dramatically.
8. With the BYC reserve effectively drained, the attacker was able to extract almost all the USDT from the liquidity pool.
9. This resulted in a total loss of approximately $100,000 worth of USDT.

The root cause of the exploit lies in the autoBurnLiquidity function's reliance on the lpBurnFrequency parameter, which was manipulatable through token transfers to the liquidity pool. The function failed to impose limits or validation checks on how lpBurnFrequency could be increased, allowing the attacker to inflate it artificially. Once inflated, the function burned a disproportionate amount of BYC tokens from the pool, creating an imbalance in the reserves.

Flow of Funds

See the funds flow here:

1. Adding logic to ensure that autoBurnLiquidity only executes when specific, well-defined conditions are met, such as requiring a minimum balance or specific time intervals between burns.
2. Introduce strict rate limits or maximum bounds for how much lpBurnFrequency can increase to prevent malicious inflation.
3. Collaborate with reputable auditors like QuillAudits to analyse smart contracts and identify vulnerabilities.

Why QuillAudits?

Choosing a reputable audit firm like QuillAudits ensures that your protocol undergoes rigorous scrutiny from experienced security professionals. QuillAudits specializes in uncovering critical vulnerabilities and providing actionable remediation strategies. Our expertise helps safeguard your project from attacks, ensuring that security issues are addressed proactively.