Attacker Drains $1.4M from CUT Token Pools
Introduction
An attacker drained over $1.4 million from CUT token pools on the Binance Smart Chain (BSC). This exploit involved a mysterious and unverified contract, allowing the attacker to remove funds without needing to burn the equivalent liquidity provider (LP) tokens.
The Exploit Explained
The attacker targeted a liquidity pool holding CUT tokens and drained the funds on September 10. According to CertiK, a blockchain security platform, the CUT token relied on a separate, unverified contract to set its “future yield” parameter. This unverified contract was manipulated to drain the BSC-USD through an unknown method.
Transaction Details
The attacker made four separate transactions, removing $1,448,974 in total. Notably, the attacker did not previously make any deposits to the pool and did not own any LP tokens, making it clear that these were not legitimate withdrawals. Each transaction involved a function call named “0x7a50b2b8,” which does not exist in the token contract. This indicates that the attacker must have called ILPFutureYieldContract(), a function allowing the user to call another function on a separate, unverified contract. This contract, identifiable by its address ending in 1154, only shows unreadable bytecode on BscScan.
Impact on PancakeSwap
The drained pool was part of the PancakeSwap exchange. Fortunately, no other PancakeSwap pools were affected by this exploit. The CUT token involved in this incident is located at an address ending in 36a7 on the BNB Smart Chain and is separate from the Crypto Unity project, which shares the same ticker symbol but a different address.
Lack of Information
Efforts to find any marketing website or Twitter account promoting CUT were unsuccessful, and this may have led investors to confuse it with the unrelated Crypto Unity project.
Recent Exploits in Web3
Exploits like these are a common way for Web3 users to lose funds. On September 3, over $25 million worth of crypto was lost in an exploit of the Penpie decentralized finance protocol. On August 6, the bridge for the Ronin gaming network was drained of $10 million due to an attacker exploiting a faulty deployment script. These incidents highlight the vulnerabilities in the decentralized finance (DeFi) space.
Conclusion
In this case, CUT liquidity providers are collectively $1.4 million poorer due to the exploit. As the DeFi space continues to grow, the importance of robust security measures and verified contracts cannot be overstated.
Key Takeaways
- An attacker drained $1.4 million from CUT token pools on the BNB Smart Chain.
- The exploit involved an unverified contract used to manipulate the “future yield” parameter.
- The attacker conducted four transactions without owning any LP tokens.
- The drained pool was part of the PancakeSwap exchange, but no other pools were affected.
- Recent exploits in the Web3 space underscore the need for improved security measures.
