Home
News
Details

DBXen contract exploited, estimated loss of $150,000

iconChaincatcher
Share
Share IconShare IconShare IconShare IconShare IconShare IconCopy
AI summary iconSummary

expand icon
DBXen's contract was exploited today, with estimated losses of $150,000. The issue stemmed from a mismatch in sender identification within ERC2771 meta-transactions. The burnBatch() function used _msgSender() in gasWrapper(), while onTokenBurned() used msg.sender, resulting in incorrect user tracking. This caused errors in reward and fee calculations in claimFees() and claimRewards(). The ETH update highlights ongoing smart contract risks. The BTC update underscores the need for continuous security audits.

ChainCatcher report: According to BlockSec monitoring, the DBXen contract was attacked this morning, with estimated losses of approximately $150,000. The root cause lies in inconsistent sender identification under ERC2771 meta-transactions. In the burnBatch() function, the gasWrapper() modifier uses _msgSender() (the actual user) to update state, while the callback function onTokenBurned() uses msg.sender (the forwarder). This causes accCycleBatchesBurned to be recorded for the user, but lastActiveCycle is incorrectly updated for the forwarder. This inconsistency disrupts the logic of claimFees() and claimRewards(). When updateStats() is executed for the user, the contract erroneously assumes there are unprocessed burned batches because accCycleBatchesBurned has been updated while lastActiveCycle has not, leading to incorrect calculations of rewards and fees—allowing the attacker to extract excess funds for profit.

Source:Show original
Disclaimer: The information on this page may have been obtained from third parties and does not necessarily reflect the views or opinions of KuCoin. This content is provided for general informational purposes only, without any representation or warranty of any kind, nor shall it be construed as financial or investment advice. KuCoin shall not be liable for any errors or omissions, or for any outcomes resulting from the use of this information. Investments in digital assets can be risky. Please carefully evaluate the risks of a product and your risk tolerance based on your own financial circumstances. For more information, please refer to our Terms of Use and Risk Disclosure.