Overview:

On July 4, 2023, BambooAI suffered a price manipulation attack due to the “public burn” issue. This led to a loss of ~53K USD.

Smart Contract Hack Overview:

• Attackers address: 0x00703f
• Vulnerable contract: 0xed5678
• Attack Transaction: 0x88a6c2

Decoding the Smart Contract Vulnerability:

• The attack was initiated when the private updatePool function was invoked by the _transfer function
• The attacker executed a flashloan for 4,042 $WBNB and performed a substantial swap of BambooAI Tokens through Uniswap.
• He then transferred 137 million $BAMBOO to the pair address, causing an increase in the price of BambooAI Tokens due to the burning of tokens during the transfer process.

Fig: The root cause of the vulnerability

• The exploiter then made use of the skim function to withdraw the surplus tokens to their own address.
• The attacker repeated the above steps to further escalate the price of $BAMBOO tokens making a huge profit out of the hack.

Fig: Attack Flow

Mitigation and Best Practices:

• Transfer and burn functions should be validated with extensive test cases to make sure the token price is not inflated/deflated.
• Always validate your code by writing comprehensive test cases that cover all the possible business logic.
• To prevent such vulnerabilities, the best Smart Contract auditors must examine the Smart Contracts for logical issues. We at Caligo provide smart contract security and end-to-end security of web applications and externally exposed networks. Schedule a call at https://caligosec.com/
• Scan your Solidity contracts against the latest common security vulnerabilities with 130+ detections at Caligo

Caligo — Smart Contract Vulnerability Scanner

Conclusion:

Caligo is an advanced smart-contract scanning tool that discovers vulnerabilities and reduces risks in code. Request a security audit with us, and we will help you secure your smart contracts.

Follow us on our Social Media for Web3 security-related updates.
Caligo Security — LinkedIn | Twitter | Telegram