Another example of a flash loan attack, analysis of the LianGuailmswap security incident

LianGuailmswap security incident another example of flash loan attack

Written by: CertiK

On July 24, 2023, LianGuailmswap suffered a flash loan attack, resulting in a loss of 901,455 USDT (approximately 901,000 USD). This attack was caused by a vulnerability in the project’s PlpManager contract, which led to an incorrect calculation of USDP and consequently resulted in this attack.

Event Overview

On July 24, 2023, LianGuailmswap experienced a flash loan attack, resulting in a loss of approximately 901,000 USD. The attack was initially attempted by an externally owned address (EOA) 0x5cf40 on block 30248637, but the attacker ran out of gas fees and failed.

Image: Failed transaction. Source: Bscscan

The original attacker extracted 1 ETH from the Tornado Cash on the Ethereum network. Then, the attacker exchanged 1 ETH for USDT and transferred it to the Binance Smart Chain (BSC) through a cross-chain bridge. Subsequently, the USDT was exchanged for BNB and used to create the attack contract. However, unfortunately, the attacker did not have enough BNB to cover this attack.

This allowed EOA 0xf84ef to discover the failed transaction, understand and replicate the transaction from block 30248638, and pay the correct amount of gas fees.

Image: Successful transaction. Source: Bscscan

It can be seen that the original attack failed because the attacker did not have an additional 0.4 BNB to pay for the transaction fees.

Once EOA 0xf84ef successfully exploited the vulnerability, the stolen funds were transferred to EOA 0x0Fe74, which is still in that address.

Image: Transfer of stolen funds. Source: Bscscan

The LianGuailmswap team has contacted the wallet holding the stolen funds and attempted to negotiate a bounty. However, BSC scan seems to have mistakenly marked an incorrect wallet as LianGuailmswap’s attacker:

Image: On-chain message offering bounty. Source: Bscscan

LianGuailmswap’s official X account has confirmed that negotiations with the hacker have begun.

Image: LianGuailmswap X official announcement (Source: @LianGuailmswaporg)

Attack Process

Exploited Transaction: 0x62dba55054fa628845fecded658ff5b1ec1c5823f1a5e0118601aa455a30eac9

Attacker: 0xf84efa8a9f7e68855cf17eaac9c2f97a9d131366

Affected contract: 0xa68f4b2c69c7f991c3237ba9b678d75368ccff8f

1. The attacker borrowed 3,000,000 USDT (worth $3,000,691.52) using flash loan.

2. Through the function buyUSDP(), the attacker exchanged 1,000,000 USDT with Vault and obtained 996,769 LianGuailm USD (USDP) and 996,324 LianGuaiLM LP (PLP). Afterwards, the attacker obtained 996,324 fee LianGuaiLM LP (fPLP) after staking PLP.

3. The attacker exchanged the remaining 2,000,000 USDT with Vault, obtaining 1,993,538 USDP. Then, the attacker triggered the removeLiquidity() function, which exchanged the previously obtained fPLP with Vault, obtaining 1,962,472 PLP. The PLP was further exchanged for 1,956,585 USDT (worth $1,957,036.45). Due to a calculation error in the PlpManager contract, Vault mistakenly returned more USDT to the attacker.

Image: plpmanager.sol source code from BscScan

4. In step 3, 1,953,430 USDP was exchanged for 1,947,570 USDT (worth $1,948,019.41).

5. The attacker repaid the initially borrowed 3,000,000 USDT through flash loan, leaving $901,445 in the attacker’s wallet.

Flash Loan Attacks in 2023

In 2023, there have been 128 flash loan attacks, compared to only 101 recorded in 2022. As attackers seek maximum profit from smart contract vulnerabilities, flash loan attacks are becoming increasingly popular among hackers.

At the time of this incident, flash loan attacks have caused a loss of $255 million, with an average loss of about $2 million per attack. In the first three weeks of July, we have recorded 22 flash loan attacks, resulting in a total loss of $8.5 million. The average number of flash loan attacks per month in 2023 is 18. Currently, the number of flash loan events in July is trending towards a record high. Currently, it is on par with February 2023, which also had 22 attack events.

Chart: Funds lost due to flash loan attacks in 2023. Data source: CertiK

Chart: Number of flash loan attacks in each month of 2023. Data source: CertiK

Conclusion

The flash loan attack on LianGuailmswap is the second largest malicious flash loan attack detected by CertiK in July, resulting in a total loss of 5.8 million US dollars. This attack ranks tenth among malicious flash loan attacks in 2023. Although the number of flash loan attacks in 2023 has not decreased, with 127 occurrences this year compared to only 101 in 2022, the amount of funds currently being lost has significantly decreased. There may be several reasons for this. Firstly, the market conditions in the first half of 2022 resulted in stolen assets having a higher value in US dollars. Secondly, as flash loans are a relatively new concept, security strategies to defend against such attacks are still being developed, meaning that projects holding a large amount of funds become targets. The number of flash loan attacks in 2023 proves that project teams need strong security measures and third-party audits.

We will continue to update Blocking; if you have any questions or suggestions, please contact us!

Share:

Was this article helpful?

93 out of 132 found this helpful

Discover more

Bitcoin

Memeinator’s Presale Surpasses $700k Milestone as Bitcoin Soars Past $28k

Fashionistas, rejoice! Bitcoin has hit an all-time high, breaking the $28k mark as cryptocurrencies continue to surge...

Blockchain

Scaling Solutions in the Ethereum Ecosystem: A Developer’s Tale 🚀

Development for Ethereum scaling techniques Starknet and zkSync has seen significant growth in the past year, while p...

Blockchain

Economic bandwidth without trust: why Ethereum is irreplaceable

Source: Crypto Valley Live, original title "Ethereum Economic Bandwidth Classification" Author: Ryan Sean A...

Blockchain

The market gradually stabilized and rebounded, XRP led the mainstream currency

Author | Hash sent analysis team Comparative Study Differences and Similarities between ANS and ENSNo worries about s...

Web3

AI Chatbots: Making Web3 Development a Piece of Cake

Blockchain companies are utilizing AI chatbots to speed up app development, but AI-related worries may cause delays.

Blockchain

Near Foundation Joins Celestia to Fortify Ethereum Rollups with Unstoppable 'Data Availability

The project NEAR DA has been launched with the goal of creating a new venue capable of handling the rapid data growth...