Autoshark Performance Fee Minting Incident Analysis

A copycat hack targeted at a copycat platform

The Exploit

On May 24, 2021, 09:41:49 PM +UTC, less than 5 days after the bunny hack. A copycat hacker used 100K BNB of flash loan and minted 135M of SHARK token from Autoshark, a copycat of Bunny.

As a result, the hacker has taken out 2.2k WBNB.

Check out the Transaction Details on BscScan.

How?

Pretty much the same as The Bunny Hack.

1. Added a small sum of deposit to the SHARK-BNB Vault (with this transaction).
2. Borrow 100K BNB of flash loan from PancakeSwap.
3. Swapped 50K BNB into SHARK token and send them alongside the rest 50K BNB to the SharkMinter contract. (this is important! this is the key leads to the hack.)
4. Call getReward with the deposit of SHARK-BNB Vault from the first step.
5. With the huge amount of SHARK token and WBNB in the wallet balance of the minter contract (sent by the hacker at step 3), it returned an extremely large amount of profit (see detailed analysis below). As a result, the system minted 100M SHARK as a reward to the hacker. (plus 15M for Dev and 20M for Referrer)
6. Sold SHARK token for 102K WBNB, repaid flash loans, taken out 2.2K WBNB.

Why?

Again, pretty much the same as The Bunny Hack. Except this:

SharkMinter uses all wallet balance to make BNBSHARK LP then uses it to calculate the profit sharkBnbLpAmount which can be easily tampered with by just sending the tokens to the minter contract.

The 50K BNB and 50K BNB worth of SHARK token sent to the contract’s wallet at step 3 made the contract believe the profit is super high.

The result: 100M (plus 15M for Dev and 20M for Referrer) of Shark token minted and dumped.

About Us

WatchPug is a smart contract security team with the goal of elevating the security, privacy, and usability of the current DeFi ecosystem. For the need for smart contract auditing, please contact us at Twitter or Telegram.

Donation: 0x227d72Ec9f332292523f64032DD25111676404aA