HomeDeFiAttacker Steals $1.4 Million CUT Tokens by Exploiting Unverified Contract

Attacker Steals $1.4 Million CUT Tokens by Exploiting Unverified Contract

-

An attacker mysteriously stole $1.4 million worth of Bows Coin Synthetic US Dollar tokens by exploiting an unverified and unreadable contract living on Binance Smart Chain.

An attacker conducted a flashloan exploit on a liquidity pool deployed on the Pancakeswap decentralized exchange to grab $1.4 million worth of Bows Coin Synthetic US Dollar (BSC-USD) on September 10. The pool provided liquidity for the CUT token, which is separate from the Crypto Unity project token sharing the same ticker symbol. No other liquidity pools on Pancakeswap were affected.

Blockchain cybersecurity firm CertiK reported the incident via X. “We have seen a flashloan exploit involving CUT token.” It added, “The CUT contract uses ILPFutureYieldContract(_lpFutureYieldContractAddress) at 0x0917914b0A70ee7F1f2460Fcd487696856E31154 which is unverified and contains hidden functionality.”

Source: CertiK Alert on X

The attacker stole the BSC-USD tokens, amounting to over $1,448,974, over four transactions, on-chain data shows. While liquidity pools need their users to burn LP tokens to withdraw their funds, the attacker did not do that. In fact, they never made any deposit in the pool, making the attack all the more mysterious.

The plot thickens when one looks at the function the attacker called to execute this attack, “0x7a50b2b8”. That function does not exist in the liquidity pool contract. Instead, it calls another contract altogether, named ILPFutureYieldContract(), which further lets the attacker call another function on an entirely different contract. And that contract remains unverified, with BSC Scan only relaying unreadable bytecode.

An Attacker Stole $27 Million from DeFi Protocol Penpie

While an exploit like this is not commonly seen, exploits aimed at DeFi protocols are not uncommon. Recently, an attacker exploited the Penpie protocol for $27 million while funneling significant amounts to crypto mixer Tornado Cash to obfuscate their on-chain footprint. That is just one of the numerous hacks and attacks that have transpired this year.

FOLLOW US

Upcoming Events

Most Popular