Another example of a flash loan attack, analysis of the LianGuailmswap security incident

LianGuailmswap security incident another example of flash loan attack

Written by: CertiK

On July 24, 2023, LianGuailmswap suffered a flash loan attack, resulting in a loss of 901,455 USDT (approximately 901,000 USD). This attack was caused by a vulnerability in the project’s PlpManager contract, which led to an incorrect calculation of USDP and consequently resulted in this attack.

Event Overview

On July 24, 2023, LianGuailmswap experienced a flash loan attack, resulting in a loss of approximately 901,000 USD. The attack was initially attempted by an externally owned address (EOA) 0x5cf40 on block 30248637, but the attacker ran out of gas fees and failed.

• Comparative Study Differences and Similarities between ANS and ENS
• No worries about secure cross-chain transactions? Understanding the xERC20 cross-chain token standard in one article.
• UniswapX Opening the Gateway to Uniswap V4 DeFi Experimental Base

Image: Failed transaction. Source: Bscscan

The original attacker extracted 1 ETH from the Tornado Cash on the Ethereum network. Then, the attacker exchanged 1 ETH for USDT and transferred it to the Binance Smart Chain (BSC) through a cross-chain bridge. Subsequently, the USDT was exchanged for BNB and used to create the attack contract. However, unfortunately, the attacker did not have enough BNB to cover this attack.

This allowed EOA 0xf84ef to discover the failed transaction, understand and replicate the transaction from block 30248638, and pay the correct amount of gas fees.

Image: Successful transaction. Source: Bscscan

It can be seen that the original attack failed because the attacker did not have an additional 0.4 BNB to pay for the transaction fees.

Once EOA 0xf84ef successfully exploited the vulnerability, the stolen funds were transferred to EOA 0x0Fe74, which is still in that address.

Image: Transfer of stolen funds. Source: Bscscan

The LianGuailmswap team has contacted the wallet holding the stolen funds and attempted to negotiate a bounty. However, BSC scan seems to have mistakenly marked an incorrect wallet as LianGuailmswap’s attacker:

Image: On-chain message offering bounty. Source: Bscscan

LianGuailmswap’s official X account has confirmed that negotiations with the hacker have begun.

Image: LianGuailmswap X official announcement (Source: @LianGuailmswaporg)

Attack Process

Exploited Transaction: 0x62dba55054fa628845fecded658ff5b1ec1c5823f1a5e0118601aa455a30eac9

Attacker: 0xf84efa8a9f7e68855cf17eaac9c2f97a9d131366

Affected contract: 0xa68f4b2c69c7f991c3237ba9b678d75368ccff8f

1. The attacker borrowed 3,000,000 USDT (worth $3,000,691.52) using flash loan.

2. Through the function buyUSDP(), the attacker exchanged 1,000,000 USDT with Vault and obtained 996,769 LianGuailm USD (USDP) and 996,324 LianGuaiLM LP (PLP). Afterwards, the attacker obtained 996,324 fee LianGuaiLM LP (fPLP) after staking PLP.

3. The attacker exchanged the remaining 2,000,000 USDT with Vault, obtaining 1,993,538 USDP. Then, the attacker triggered the removeLiquidity() function, which exchanged the previously obtained fPLP with Vault, obtaining 1,962,472 PLP. The PLP was further exchanged for 1,956,585 USDT (worth $1,957,036.45). Due to a calculation error in the PlpManager contract, Vault mistakenly returned more USDT to the attacker.

Image: plpmanager.sol source code from BscScan

4. In step 3, 1,953,430 USDP was exchanged for 1,947,570 USDT (worth $1,948,019.41).

5. The attacker repaid the initially borrowed 3,000,000 USDT through flash loan, leaving $901,445 in the attacker’s wallet.

Flash Loan Attacks in 2023

In 2023, there have been 128 flash loan attacks, compared to only 101 recorded in 2022. As attackers seek maximum profit from smart contract vulnerabilities, flash loan attacks are becoming increasingly popular among hackers.

At the time of this incident, flash loan attacks have caused a loss of $255 million, with an average loss of about $2 million per attack. In the first three weeks of July, we have recorded 22 flash loan attacks, resulting in a total loss of $8.5 million. The average number of flash loan attacks per month in 2023 is 18. Currently, the number of flash loan events in July is trending towards a record high. Currently, it is on par with February 2023, which also had 22 attack events.

Chart: Funds lost due to flash loan attacks in 2023. Data source: CertiK

Chart: Number of flash loan attacks in each month of 2023. Data source: CertiK

Conclusion

The flash loan attack on LianGuailmswap is the second largest malicious flash loan attack detected by CertiK in July, resulting in a total loss of 5.8 million US dollars. This attack ranks tenth among malicious flash loan attacks in 2023. Although the number of flash loan attacks in 2023 has not decreased, with 127 occurrences this year compared to only 101 in 2022, the amount of funds currently being lost has significantly decreased. There may be several reasons for this. Firstly, the market conditions in the first half of 2022 resulted in stolen assets having a higher value in US dollars. Secondly, as flash loans are a relatively new concept, security strategies to defend against such attacks are still being developed, meaning that projects holding a large amount of funds become targets. The number of flash loan attacks in 2023 proves that project teams need strong security measures and third-party audits.

We will continue to update Blocking; if you have any questions or suggestions, please contact us!