Overview:

On July 20, 2023, $FFIST suffered an attack due to a business logic issue leading to a loss of ~110K USD.

Smart Contract Hack Overview:

• Vulnerable Contract: 0x80121d
• Attacker address: 0xcc8617
• Attack Transaction: 0x199c4b

Fig: Attack Transaction

Decoding the Smart Contract Vulnerability:

• The _airdrop() function is intended to distribute $FFIST tokens randomly to different addresses.
• Unfortunately, the randomness of airdrop addresses can be predicted due to manipulable parameters such as the last airdrop address, block number, from & to addresses.
• Moreover, the number of tokens airdropped to an address is fixed at one token, leading to an imbalance in the pool and causing $FFIST to be consistently set to 1.
• This imbalance allows a small amount of $FFIST tokens to be exchanged for a disproportionately large amount of USD, raising concerns about the fairness and stability of the ecosystem.

Fig: The root cause of the vulnerability

Mitigation and Best Practices:

• It is recommended to use a source of randomness that cannot be predicted or manipulated by attackers.
• Always validate your code by writing comprehensive test cases that cover all the possible business logic.
• To prevent such vulnerabilities, the best Smart Contract auditors must examine the Smart Contracts for logical issues. We at Caligo provide smart contract security and end-to-end security of web applications and externally exposed networks. Schedule a call at https://caligosec.com/
• Scan your Solidity contracts against the latest common security vulnerabilities with 130+ detections at Caligo

Caligo — Smart Contract Vulnerability Scanner

Conclusion:

Caligo is an advanced smart-contract scanning tool that discovers vulnerabilities and reduces risks in code. Request a security audit with us, and we will help you secure your smart contracts.

Follow us on our Social Media for Web3 security-related updates.
Caligo Security — LinkedIn | Twitter | Telegram