Home
News
Details

Hackers exploit NovaBox reward pool mechanism, steal 56.73 ETH

iconChaincatcher
Share
Share IconShare IconShare IconShare IconShare IconShare IconCopy
This is the logo of the coin.
ETH
$1,682.490.77%
This is the logo of the coin.
AAVE
$67.3533.14%
AI summary iconSummary

expand icon
Hackers exploited a flaw in NovaBox’s reward distribution mechanism, draining 56.73 ETH from the Ethereum-based pool on June 9. The attacker used a 427.5 WETH flash loan from Aave V3 to manipulate the consensus mechanism, triggering a phantom dividend of 145.82 ETH. By depositing a small amount of NOVA tokens followed by a large ETH deposit, the attacker exploited a delay in balance updates. The pool was drained from 65.11 ETH to 0.09 ETH in a single transaction, resulting in a 99.86% loss. Over 130 users were affected. Security firm F12 confirmed no smart contract vulnerability was involved, but rather a bridge exploit within the reward logic.

ChainCatcher report, according to Bits.media, the reward pool of the NovaBox platform was hacked on June 9 on Ethereum, resulting in a loss of approximately 56.73 ETH and affecting over 130 depositing users. The attacker drained the pool’s funds from 65.11 ETH to just 0.09 ETH in a single transaction, accounting for about 99.86% of the total. Security firm F12 stated that the incident was not caused by a smart contract vulnerability, but rather by a flaw in the reward distribution mechanism. The attacker borrowed 427.5 WETH via an Aave V3 flash loan and exploited NovaBox’s mechanism of distributing dividends before updating user balances. The hacker first deposited a small amount of NOVA tokens to trigger dividend calculations, then deposited a large amount of ETH to significantly increase their actual share. However, since the system had not yet updated the balance, it continued calculating dividends based on the previous small share amount while paying out according to the new large share amount, generating approximately 145.82 ETH in “phantom dividends,” thereby depleting the reward pool.

Source:Show original
Disclaimer: The information on this page may have been obtained from third parties and does not necessarily reflect the views or opinions of KuCoin. This content is provided for general informational purposes only, without any representation or warranty of any kind, nor shall it be construed as financial or investment advice. KuCoin shall not be liable for any errors or omissions, or for any outcomes resulting from the use of this information. Investments in digital assets can be risky. Please carefully evaluate the risks of a product and your risk tolerance based on your own financial circumstances. For more information, please refer to our Terms of Use and Risk Disclosure.