Autoshark Performance Fee Minting Incident Analysis

A copycat hack targeted at a copycat platform

The Exploit

How?

  1. Added a small sum of deposit to the SHARK-BNB Vault (with this transaction).
  2. Borrow 100K BNB of flash loan from PancakeSwap.
  3. Swapped 50K BNB into SHARK token and send them alongside the rest 50K BNB to the SharkMinter contract. (this is important! this is the key leads to the hack.)
  4. Call getReward with the deposit of SHARK-BNB Vault from the first step.
  5. With the huge amount of SHARK token and WBNB in the wallet balance of the minter contract (sent by the hacker at step 3), it returned an extremely large amount of profit (see detailed analysis below). As a result, the system minted 100M SHARK as a reward to the hacker. (plus 15M for Dev and 20M for Referrer)
  6. Sold SHARK token for 102K WBNB, repaid flash loans, taken out 2.2K WBNB.

Why?

SharkMinter uses all wallet balance to make BNBSHARK LP then uses it to calculate the profit sharkBnbLpAmount which can be easily tampered with by just sending the tokens to the minter contract.

About Us

--

--

Pug against Rug

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store