Home
News
Details

Truebit Protocol Suffers $26.4M Loss in Smart Contract Attack

iconPANews
Share
Share IconShare IconShare IconShare IconShare IconShare IconCopy
This is the logo of the coin.
TRU
$0.005561.83%
This is the logo of the coin.
ETH
$2,098.15-0.64%
AI summary iconSummary

expand icon
The Truebit Protocol lost $26.4 million after an exploit targeting smart contract vulnerabilities in a non-open-source contract from five years ago. Attackers minted TRU tokens and drained 8,535.36 ETH. Beosin traced the funds to three high-risk Ethereum addresses. The exploit involved repeatedly calling a flawed function with minimal msg.value. A detailed report on the contract security breach and fund flow has been released.

Author: Beosin

On the early morning of January 9, a non-open-source contract deployed by Truebit Protocol five years ago was attacked, resulting in a loss of 8,535.36 ETH (approximately $26.4 million). The Beosin security team conducted a vulnerability and fund tracking analysis of this security incident and shares the findings as follows:

Attack Methodology Analysis

For this incident, we will use the most significant attack transaction as our analysis subject. The transaction hash is: 0xcd4755645595094a8ab984d0db7e3b4aabde72a5c87c4f176a030629c47fb014

1. The attacker calls getPurchasePrice() to obtain the price.

2. Then call the vulnerable function 0xa0296215() and set the msg.value to an extremely small value.

Due to the contract not being open-sourced, the function is speculated to have an arithmetic logic vulnerability through decompiled code. For example, an integer truncation issue occurred, allowing the attacker to successfully mint a large number of TRU tokens.

3. The attacker used the burn function to "sell back" the minted tokens to the contract, thereby extracting a large amount of ETH from the contract's reserves.

This process is repeated 4 more times, each time increasing the msg.value, until almost all the ETH in the contract is drained.

Funds Theft Tracking

Based on on-chain transaction data, Beosin conducted a thorough fund tracking investigation using its blockchain on-chain investigation and tracking platform, BeosinTrace, and shares the results as follows:

Currently, the 8,535.36 ETH that was stolen has been transferred, with the majority stored in the addresses 0xd12f6e0fa7fbf4e3a1c7996e3f0dd26ab9031a60 and 0x273589ca3713e7becf42069f9fb3f0c164ce850a.

Among them, address 0xd12f holds 4,267.09 ETH, and address 0x2735 holds 4,001 ETH. The address used by the attacker to initiate the attack (0x6c8ec8f14be7c01672d31cfa5f2cefeab2562b50) also holds 267.71 ETH. No further fund transfers have been observed from these three addresses.

Funds Flow Analysis Chart of the Theft Incident by Beosin Trace

The above addresses have all been marked as high-risk addresses by Beosin KYT. Taking the attacker's address as an example:

Beosin KYT is a blockchain compliance solution provided by Beosin, primarily used for monitoring and analyzing blockchain transactions to

Conclusion

The stolen funds involved a smart contract that had not been open-sourced five years ago. For such contracts, the project team should upgrade the contracts by introducing emergency pause mechanisms, parameter restrictions, and new security features in the latest Solidity versions. In addition, security audits remain an essential part of the smart contract development process. Through security audits, Web3 companies can comprehensively examine smart contract code as much as possible, identify and fix potential vulnerabilities, and enhance contract security.

Beosin will provide a complete analysis report on all fund flows and address risks for this event. You are welcome to obtain it via the official email support@beosin.com.

Source:Show original
Disclaimer: The information on this page may have been obtained from third parties and does not necessarily reflect the views or opinions of KuCoin. This content is provided for general informational purposes only, without any representation or warranty of any kind, nor shall it be construed as financial or investment advice. KuCoin shall not be liable for any errors or omissions, or for any outcomes resulting from the use of this information. Investments in digital assets can be risky. Please carefully evaluate the risks of a product and your risk tolerance based on your own financial circumstances. For more information, please refer to our Terms of Use and Risk Disclosure.