The metaverse financial project Paraluni on the BSC chain was hacked, and the hackers made more than $1.7 million.
- The attacker’s funds came from PancakeSwap’s flash loan.
- The problem lies in the depositByAddLiquidity method of the MasterCheif contract of the project side. This method does not check whether the token array parameter address[2] memory _tokens is consistent with the LP pointed to by the pid parameter, and does not add more when it comes to the change of the LP amount. Lock.
At present, the account balance of the hacker’s address “0x94bc” on the BSC chain is 3000.01 BNB (about 1.1258 million US dollars), and another 235.45 ETH (about 608,600 US dollars) cross-chain to the ETH network “0x94bc” through cBridge. About 1/3 of the stolen funds (230 ETH) have flowed into Tornado Cash.
This event reminds us that we must pay attention to reentrancy loopholes in contract methods involving amount changes, and try to use reentrancy lock modifiers.
DISCLAIMER: The information provided by WebsCrypto does not represent any investment suggestion. The articles published on this site only represent personal opinions and have nothing to do with the official position of WebsCrypto.