SharkTeam: Technical Analysis of the BNO Attack Incident
On July 18, 2023 Beijing time, Ocean BNO suffered a flash loan attack with the attacker profiting approximately $500,000. SharkTeam conducted immediate technical analysis of this incident and summarized security prevention measures, hoping that future projects can learn from this incident to collectively strengthen the blockchain industry's security defenses.
On July 18, 2023 Beijing time, Ocean BNO suffered a flash loan attack with the attacker profiting approximately $500,000.
SharkTeam conducted immediate technical analysis of this incident and summarized security prevention measures, hoping that future projects can learn from this incident to collectively strengthen the blockchain industry's security defenses.
## I. Incident Analysis
**Attacker Address:**
0xa6566574edc60d7b2adbacedb71d5142cf2677fb
**Attack Contract:**
0xd138b9a58d3e5f4be1cd5ec90b66310e241c13cd
**Attacked Contract:**
0xdCA503449899d5649D32175a255A8835A03E4006
**Attack Transaction:**
0x33fed54de490797b99b2fc7a159e43af57e9e6bdefc2c2d052dc814cfe0096b9
**Attack Process:**
(1) The attacker (0xa6566574) borrowed 286,449 BNO tokens through PancakeSwap flash loan.
(2) Subsequently called the stakeNft function of the attacked contract (0xdCA50344) to stake two NFTs.
(3) Then called the pledge function of the attacked contract (0xdCA50344) to stake 277,856 BNO tokens.
(4) Called the emergencyWithdraw function of the attacked contract (0xdCA50344) to withdraw all BNO tokens.
(5) Then called the unstakeNft function of the attacked contract (0xdCA50344) to retrieve the two staked NFTs and receive additional BNO tokens.
(6) Repeated the above process continuously to obtain additional BNO tokens.
(7) Finally, after repaying the flash loan, exchanged all BNO tokens for 505,000 BUSD and exited with profit.
## II. Vulnerability Analysis
The root cause of this attack is: there was a problem with the interaction logic between the reward calculation mechanism and the emergency withdrawal function in the attacked contract (0xdCA50344), allowing users to receive additional reward tokens after withdrawing their principal.
The contract provides an emergencyWithdraw function for emergency token withdrawal, which cleared the attacker's allstake total stake amount and rewardDebt total debt amount, but did not clear the attacker's nftAddtion variable, while the nftAddition variable is also calculated through the allstake variable.
In the unstakeNft function, the user's current reward is still calculated, and with the nftAddition variable not being reset to zero, the pendingFit function still returns an additional BNO reward value, causing the attacker to obtain extra BNO tokens.
## III. Security Recommendations
Regarding this attack incident, we should follow these precautions during development:
(1) When performing reward calculations, verify whether the user has withdrawn their principal.
(2) Before project launch, seek technical assistance from third-party professional audit teams.
## About Us
SharkTeam's vision is to comprehensively protect the security of the Web3 world. The team consists of experienced security professionals and senior researchers from around the world, proficient in the underlying theories of blockchain and smart contracts, providing services including smart contract auditing, on-chain analysis, and emergency response. We have established long-term partnerships with key participants across various fields of the blockchain ecosystem, such as Polkadot, Moonbeam, Polygon, OKC, Huobi Global, imToken, ChainIDE, and others.
Website: https://www.sharkteam.org
Twitter: https://twitter.com/sharkteamorg
Discord: https://discord.gg/jGH9xXCjDZ
Telegram: https://t.me/sharkteamorg