Another example of a flash loan attack, analysis of the LianGuailmswap security incident

LianGuailmswap security incident another example of flash loan attack

Written by: CertiK

On July 24, 2023, LianGuailmswap suffered a flash loan attack, resulting in a loss of 901,455 USDT (approximately 901,000 USD). This attack was caused by a vulnerability in the project’s PlpManager contract, which led to an incorrect calculation of USDP and consequently resulted in this attack.

Event Overview

On July 24, 2023, LianGuailmswap experienced a flash loan attack, resulting in a loss of approximately 901,000 USD. The attack was initially attempted by an externally owned address (EOA) 0x5cf40 on block 30248637, but the attacker ran out of gas fees and failed.

Image: Failed transaction. Source: Bscscan

The original attacker extracted 1 ETH from the Tornado Cash on the Ethereum network. Then, the attacker exchanged 1 ETH for USDT and transferred it to the Binance Smart Chain (BSC) through a cross-chain bridge. Subsequently, the USDT was exchanged for BNB and used to create the attack contract. However, unfortunately, the attacker did not have enough BNB to cover this attack.

This allowed EOA 0xf84ef to discover the failed transaction, understand and replicate the transaction from block 30248638, and pay the correct amount of gas fees.

Image: Successful transaction. Source: Bscscan

It can be seen that the original attack failed because the attacker did not have an additional 0.4 BNB to pay for the transaction fees.

Once EOA 0xf84ef successfully exploited the vulnerability, the stolen funds were transferred to EOA 0x0Fe74, which is still in that address.

Image: Transfer of stolen funds. Source: Bscscan

The LianGuailmswap team has contacted the wallet holding the stolen funds and attempted to negotiate a bounty. However, BSC scan seems to have mistakenly marked an incorrect wallet as LianGuailmswap’s attacker:

Image: On-chain message offering bounty. Source: Bscscan

LianGuailmswap’s official X account has confirmed that negotiations with the hacker have begun.

Image: LianGuailmswap X official announcement (Source: @LianGuailmswaporg)

Attack Process

Exploited Transaction: 0x62dba55054fa628845fecded658ff5b1ec1c5823f1a5e0118601aa455a30eac9

Attacker: 0xf84efa8a9f7e68855cf17eaac9c2f97a9d131366

Affected contract: 0xa68f4b2c69c7f991c3237ba9b678d75368ccff8f

1. The attacker borrowed 3,000,000 USDT (worth $3,000,691.52) using flash loan.

2. Through the function buyUSDP(), the attacker exchanged 1,000,000 USDT with Vault and obtained 996,769 LianGuailm USD (USDP) and 996,324 LianGuaiLM LP (PLP). Afterwards, the attacker obtained 996,324 fee LianGuaiLM LP (fPLP) after staking PLP.

3. The attacker exchanged the remaining 2,000,000 USDT with Vault, obtaining 1,993,538 USDP. Then, the attacker triggered the removeLiquidity() function, which exchanged the previously obtained fPLP with Vault, obtaining 1,962,472 PLP. The PLP was further exchanged for 1,956,585 USDT (worth $1,957,036.45). Due to a calculation error in the PlpManager contract, Vault mistakenly returned more USDT to the attacker.

Image: plpmanager.sol source code from BscScan

4. In step 3, 1,953,430 USDP was exchanged for 1,947,570 USDT (worth $1,948,019.41).

5. The attacker repaid the initially borrowed 3,000,000 USDT through flash loan, leaving $901,445 in the attacker’s wallet.

Flash Loan Attacks in 2023

In 2023, there have been 128 flash loan attacks, compared to only 101 recorded in 2022. As attackers seek maximum profit from smart contract vulnerabilities, flash loan attacks are becoming increasingly popular among hackers.

At the time of this incident, flash loan attacks have caused a loss of $255 million, with an average loss of about $2 million per attack. In the first three weeks of July, we have recorded 22 flash loan attacks, resulting in a total loss of $8.5 million. The average number of flash loan attacks per month in 2023 is 18. Currently, the number of flash loan events in July is trending towards a record high. Currently, it is on par with February 2023, which also had 22 attack events.

Chart: Funds lost due to flash loan attacks in 2023. Data source: CertiK

Chart: Number of flash loan attacks in each month of 2023. Data source: CertiK

Conclusion

The flash loan attack on LianGuailmswap is the second largest malicious flash loan attack detected by CertiK in July, resulting in a total loss of 5.8 million US dollars. This attack ranks tenth among malicious flash loan attacks in 2023. Although the number of flash loan attacks in 2023 has not decreased, with 127 occurrences this year compared to only 101 in 2022, the amount of funds currently being lost has significantly decreased. There may be several reasons for this. Firstly, the market conditions in the first half of 2022 resulted in stolen assets having a higher value in US dollars. Secondly, as flash loans are a relatively new concept, security strategies to defend against such attacks are still being developed, meaning that projects holding a large amount of funds become targets. The number of flash loan attacks in 2023 proves that project teams need strong security measures and third-party audits.

We will continue to update Blocking; if you have any questions or suggestions, please contact us!

Share:

Was this article helpful?

93 out of 132 found this helpful

Discover more

Blockchain

After the 18 million bitcoins were dug up: these “18 million” milestones are also worth remembering

Source: Shallot blockchain Beijing time last Saturday (October 19) 08:04, bitcoin block height reached 600,000, the 1...

News

The market “falls” endlessly, can the recent major changes in EOS reverse the overall situation?

Recently, there have been a lot of news about EOS in the market, such as a $24 million fine and a civil settlement wi...

Blockchain

Yuan Dao Dao | Rereading Nakamoto's Mail Series - Anonymous

First, the original Title:HOW ANONYMOUS ARE BITCOINS? Satoshi Nakamoto November 25 2009, 06: 17: 23 PM Can nodes on t...

Blockchain

The most influential industry star! Coinbase CEO is on the "Times of the Next Generation" list of Time magazine

On Wednesday, Time magazine published a list of TIME 100 NEXT to recognize outstanding talent in all walks of life. B...

Blockchain

Bitcoin hardcore OG meets secretly every year, this is their hot topic of discussion this year

Written by: Jameson Lopp, CTO of keys.casa, and founder of statoshi.info and bitcoinsig.com Source: Chain News "...