TronBank 200 million BTT Quilt: "Counterfeit Currency" Attack Analysis


According to the weiwei security laboratory ( ), the well-known DApp TronBank suffered a “counterfeit currency” attack in the early hours of the morning. Nearly 200 million BTTs were stolen by attackers in a short period of time, worth nearly one million yuan. Below we make a simple analysis of the contract code problem involved in this "counterfeit currency" attack.


The TRON wave field not only supports the contract token standard TRC-20 like Ethereum ERC-20, but also creates the TRC-10 token standard. This token mechanism does not depend on the TRON virtual machine (TVM), making the currency become more It's easy, but if the developer doesn't have a deep understanding of its features, it's easy to write a defective contract code.

We know that similar to Ethereum ETH, TRX wave currency account operations have native API support:

  • Query balance address.balance
  • Transfer (out of OUT) address.transfer(value);
  • Transfer (into IN) msg.value

Similarly, TRC-10 has similar API support:

  • Query the balance address.tokenBalance(trcToken tokenId) return(uint256 tokenAmount);
  • Transfer (out OUT) address.transferToken(uint256 tokenValue, trcToken tokenId);
  • Transfer (into IN) msg.tokenValue, msg.tokenId

From the parameters of the above API, we can find that an account can hold multiple TRC-10 tokens , they rely on the tokenId to distinguish.

Let's look at the tronBank contract involving the invest function that goes into BTT:

  Function invest(uint256 _referrerCode, uint256 _planId) public payable {
         Require(msg.value == 0, "wrong trx amount");
         If (_invest(msg.sender, _planId, _referrerCode, msg.tokenvalue)) { // <-- did not check emit onInvest(msg.sender, msg.tokenvalue 

} We can find that the invest function does not check whether the msg.tokenId is BTT (the tokenId value of BTT is 1002000), which causes the attacker to transfer the counterfeit currency and count the BTT balance held by the attacker.

Let's take a look at the withdraw() function that the contract involves BTT withdrawal:

  Function withdraw() public payable {
         Uint256 withdrawalAmount = _withdraw();
         If (withdrawalAmount >= 0) {
             msg.sender.transferToken(withdrawalAmount, BTT_ID); //<--- Transfer BTT
             Emit onWithdraw(msg.sender, withdrawalAmount);

We can see that the cashout function is directly transferred to the attacker by BTT, which causes the attacker to successfully implement the "counterfeit currency" attack.

in conclusion

The TronBank “counterfeit currency” incident, in addition to the lack of project-side safety development experience, is also because TRC-10 is a new thing, the official documentation does not give detailed development guidance.

I hope that the future wave field project side will pay more attention to the official development documents. After all, this is the only way for all developers to use a new language or specification. In the development process, developers are more focused on the construction of the project, so the final code should be audited by a professional security company, multi-party cooperation, better protect the rights of users.

All digital currencies have experienced serious security incidents in the early days. BTC, ETH, and EOS are no exceptions. From another perspective, it is because of the high community activity that hackers are concerned. Can grow stronger.

The Dimensional Security Lab ( ) has comprehensive security incident monitoring for the top- notch digital currency ecology, and if the user's digital currency is lost, it can be submitted on the platform for flow monitoring if digital currency inflows The cooperative exchange will freeze in time to recover the losses.

We will continue to update Blocking; if you have any questions or suggestions, please contact us!


Was this article helpful?

93 out of 132 found this helpful

Discover more


Evolution of demand, yield, and products in the ETH Staking market after Shanghai upgrade

Currently, we are still in the dividend period of ETH Staking, so it is advisable for ETH holders to participate in S...


Cardano Price Surges 8%: Here’s Why ADA Could Reach New Highs in 2024

In the past 24 hours, the Cardano price has experienced a significant increase of over 8% and is currently at $0.6202...


Cardano (ADA) Breaks Out: Is a New All-Time High on the Horizon? 🚀

Cardano (ADA) has made a notable price breakthrough, surging to $0.710 for the first time since May 2022 on Thursday....


Bitcoin Price Analysis: Bulls and Bears Battle for Control

Bitcoin's quick rebound to $42,000 may indicate a resurgence of bullish activity, boosting optimism and potential for...


Cardano (ADA) Price Threatens Bearish Breakout Amid Stagnating TVL

With a recent rebound back towards $0.50, the Cardano (ADA) price has shown resilience following a brief dip below $0...


Is CoinDesk selling at a loss with a valuation of $125 million after being in business for ten years?

On the occasion of its tenth anniversary and after being held by DCG Group for eight years, CoinDesk, the cryptocurre...