Abstract:
On the seventh of November 2023, TrustPad was attacked. The assault was made doable resulting from a logical flaw within the staking contract. Round $151k price of tokens have been stolen by the attacker.
About Challenge:
TrustPad is a multi-chain launchpad. For extra data, take a look at their web site.
Vulnerability Evaluation & Impression:
On-Chain Particulars:
Attacker Handle: 0x1a7b15354e2f6564fcf6960c79542de251ce0dc9
Sufferer Contract: 0x1694d7fabf3b28f11d65deeb9f60810daa26909a
The Root Trigger:
- The foundation explanation for the exploit was a logic flaw in TrustPad’s Staking Contract
- The receiveUpPool() operate was liable for accepting the upPool request from one other pool and strikes the required quantity of tokens from the consumer after which re-locks, after which change the lock time interval to now. Right here, upPool means transferring the tokens to a different pool.
- Discover how msg.sender will not be verified within the above contract. This allowed attacker to constantly name receiveUpPool() and withdraw()
- Consequently, the attacker acquires the aptitude to right away withdraw all staked funds and increase the pending reward standing by means of the execution of the withdraw() operate.
- Following the repetition of those actions, the attacker employs the stakePendingRewards() operate to maneuver all pending rewards into the staked quantity state, enabling them to withdraw these rewards as revenue later utilizing the withdraw() operate.
Assault Course of:
- First, the attacker deposit TPAD token into LaunchpadLockableStaking contract with the assistance of receiveUpPool() operate.
- Then the attacker repeatedly name stakePendingRewards() and withdraw operate to extend the affect of the assault.
- Lastly, the attacker was in a position to withdraw all of the funds.
Move of Funds:
Right here is the fund movement throughout and after the exploit. You may see extra particulars right here.
Quickly after the hack, the attacker began to switch funds to Twister Money. See right here.
After the Exploit
- The Challenge acknowledged the hack through their Twitter.
Incident Timelines
Nov-06-2023 04:02:52 PM +UTC – The attacker began the assault after making a malicious contract.
Nov-07-2023 01:56:56 AM +UTC – The attacker repeatedly referred to as weak operate. This was the final transaction noticed
Nov-07-2023 12:32:42 PM +UTC – The attacker began depositing funds to Twister Money.
Value Impression
The worth of the TPAD token dropped from $0.120 to $0.0016 instantly following the assault. It’s at present buying and selling at $0.0011 as of the time of penning this weblog. See right here.
How may they’ve prevented the Exploit?
Inadequate enter validation and logical flaws have been the goal of hackers for a really very long time.
It is strongly recommended for protocols to prioritize testing and fuzzing to make sure all the sting circumstances have been efficiently mitigated.
Web3 security- Want of the hour
In right now’s digital period, Web3 safety has change into an indispensable side of the blockchain business. QuillAudits stands on the forefront of this area, providing top-notch cybersecurity options that safeguard thousands and thousands in property. Our staff of specialists is adept at using superior instruments and methods to make sure the best stage of safety on your Web3 initiatives.
Associate with QuillAudits :
Enthusiastic about collaborating with QuillAudits? Discover our partnership alternatives designed to boost Web3 safety throughout the ecosystem:
375 Views