TronBank 200 million BTT Quilt: "Counterfeit Currency" Attack Analysis

event

According to the weiwei security laboratory ( johnwick.io ), the well-known DApp TronBank suffered a “counterfeit currency” attack in the early hours of the morning. Nearly 200 million BTTs were stolen by attackers in a short period of time, worth nearly one million yuan. Below we make a simple analysis of the contract code problem involved in this "counterfeit currency" attack.

analysis

The TRON wave field not only supports the contract token standard TRC-20 like Ethereum ERC-20, but also creates the TRC-10 token standard. This token mechanism does not depend on the TRON virtual machine (TVM), making the currency become more It's easy, but if the developer doesn't have a deep understanding of its features, it's easy to write a defective contract code.

We know that similar to Ethereum ETH, TRX wave currency account operations have native API support:

  • Query balance address.balance
  • Transfer (out of OUT) address.transfer(value);
  • Transfer (into IN) msg.value

Similarly, TRC-10 has similar API support:

  • Query the balance address.tokenBalance(trcToken tokenId) return(uint256 tokenAmount);
  • Transfer (out OUT) address.transferToken(uint256 tokenValue, trcToken tokenId);
  • Transfer (into IN) msg.tokenValue, msg.tokenId

From the parameters of the above API, we can find that an account can hold multiple TRC-10 tokens , they rely on the tokenId to distinguish.

Let's look at the tronBank contract involving the invest function that goes into BTT:

  Function invest(uint256 _referrerCode, uint256 _planId) public payable {
         Require(msg.value == 0, "wrong trx amount");
         If (_invest(msg.sender, _planId, _referrerCode, msg.tokenvalue)) { // <-- did not check emit onInvest(msg.sender, msg.tokenvalue 

);
}
} We can find that the invest function does not check whether the msg.tokenId is BTT (the tokenId value of BTT is 1002000), which causes the attacker to transfer the counterfeit currency and count the BTT balance held by the attacker.

Let's take a look at the withdraw() function that the contract involves BTT withdrawal:

  Function withdraw() public payable {
         Uint256 withdrawalAmount = _withdraw();
         If (withdrawalAmount >= 0) {
             msg.sender.transferToken(withdrawalAmount, BTT_ID); //<--- Transfer BTT
             Emit onWithdraw(msg.sender, withdrawalAmount);
         }
     } 

We can see that the cashout function is directly transferred to the attacker by BTT, which causes the attacker to successfully implement the "counterfeit currency" attack.

in conclusion

The TronBank “counterfeit currency” incident, in addition to the lack of project-side safety development experience, is also because TRC-10 is a new thing, the official documentation does not give detailed development guidance.

I hope that the future wave field project side will pay more attention to the official development documents. After all, this is the only way for all developers to use a new language or specification. In the development process, developers are more focused on the construction of the project, so the final code should be audited by a professional security company, multi-party cooperation, better protect the rights of users.

All digital currencies have experienced serious security incidents in the early days. BTC, ETH, and EOS are no exceptions. From another perspective, it is because of the high community activity that hackers are concerned. Can grow stronger.

The Dimensional Security Lab ( johnwick.io ) has comprehensive security incident monitoring for the top- notch digital currency ecology, and if the user's digital currency is lost, it can be submitted on the CoinHunter.io platform for flow monitoring if digital currency inflows The cooperative exchange will freeze in time to recover the losses.

We will continue to update Blocking; if you have any questions or suggestions, please contact us!

Share:

Was this article helpful?

93 out of 132 found this helpful

Discover more

Blockchain

Will Upbit's $ 50 million loss bring Defi's "prosperity"?

The South Korean exchange was stolen again. Following the theft of a South Korean exchange at the beginning of the ye...

Blockchain

Babbitt Column | Money Money Risk Avoidance Guide for Digital Currency Trading Subjects

The anonymity and complexity of digital currency trading make trading participants and trading platforms face many ri...

Blockchain

Contract exchange seeks compliance: as low as 1,500 knives for high NFA licenses

Editor's Note: This article has been deleted without changing the author's original intention. The number o...

Market

Multiple macroeconomic negative factors have hit the market, causing Bitcoin to drop below 26,000 US dollars in the short term.

24-hour bitcoin price analysis chart shows that bitcoin is in a strong downtrend, with bears dominating the market.

Blockchain

Why did the mining pool business become the "sweet bun" of the exchange?

The three major domestic institutes are all involved in the mining pool business. As an exchange, how to use its own ...

Blockchain

When the PoS gold rush era is opened, who will become the next bit continent?

background The first generation of cryptocurrency bitcoin, which brought the necessary changes to our world, and the ...