🔥Early Access List: Land A High Paying Web3 Job In 90 Days LEARN MORE

Hacker uses unverified contract to drain $1.4m from CUT token pools

In this post:

  • An attacker drained $1.4 million worth of BSC/USD (Bows Coin Synthetic US Dollar).
  • An unverified contract used mysterious methods to drain the BSC/USD in four separate transactions.
  • Over $300M was lost to exploits, scams, and hacks in August, while approximately $10M was recovered. 

According to CertiK, an attacker’s account utilized an unreadable function to transfer $1.4m worth of BSC-USD without burning the equivalent LP tokens. The blockchain insights and security platform revealed that the BSC-USD was drained on September 10 from a liquidity pool holding CUT tokens.

CertiK claimed that the CUT token contract relied on a separate unverified contract to set its “future yield parameter,” allowing the extraction of the BSC-USD through mysterious methods in four separate transactions. According to CertiK, the exploited CUT token differed from the Crypto Unit project with the same ticker symbol but located at a different address ending in “36a7” on the Binance Smart Chain. The affected pair was “0x83681F67069A154815a0c6C2C97e2dAca6eD3249,” as per CertiK’s findings.  

Exploit with CUT tokens leads to over $1.4 million in losses

CertiK uncovered a flashloan exploit involving a CUT token contract using “ILPFutureYieldContract(_lpFutureYieldContractAddress) at 0x0917914b0A70ee7F1f2460Fcd487696856E31154,” which was unverified and contained hidden functionality. The crypto security platform affirmed that the attacker manipulated CUT using FutureYield to gain nearly $1.4 million from the BUSD-CUT pancake pair. CertiK confirmed that the funds were currently held at “0x5766d1F03378f50c7c981c014Ed5e5A8124f38A4.”

See also  Satoshi Nakamoto Vs. governments - Why the Q4 bull run will fail

Certik disclosed that the drained pool was part of the Pancakeswap exchange, but no other Pancakeswap pools were affected. Blockchain data revealed that the attacker carried out four separate transactions to remove the $1,448,974 from a BSC-USD pool. CertiK asserted that it was alerted of the illegitimate transaction since the attacker neither made any deposits to the pool nor owned any liquidity provider tokens. 

As per CertiK’s report, the attacker called the “0x7a50b2b8” function that did not exist in the token contract. The report unveiled that the attacker must have called “ILPFutureYieldContract(),” allowing the calling of another function on an entirely separate unverified contract with an address ending in “1154,” showing only an unreadable bytecode. In this case, CUT liquidity providers collectively lost $1.4m due to the exploit.

Crypto exploits on the rise in 2024 with over $310M in August losses

Data from CertiK showed that over $310 million was lost to a combination of hacks, scams, and exploits in August 2024. The data confirmed this was the second-highest monthly loss in 2024. According to the data, ~$0.8 million was lost to exit scams, ~$1.2 million to flash loans, and $308.8 million to exploits, while only $10.3 million had been recovered. 

CertiK’s data revealed that phishing victims had lost a total of $293 million. Notably, top flash loan attacks in August resulted in losses for Vow ($1.2M), MintStakeShare ($33.5K), and Satoshi ($5K), while the top exit scams resulted in losses for Grimace token ($649K), Sigma (136K), and Mbappe token ($88K). The top exploits in August were experienced by the Ronin Network ($11.8M), Nexera (448.8K), Convergence ($210K), iVest DAO ($172K), and AAVE Periphery Ctr ($64K).

See also  Australia bank joins Project Guardian to unlock cross-blockchain stablecoin transfers

Immunefi disclosed that over $1.2 billion was lost to crypto hackers in 2024, representing a 15.5% rise compared to the same period in 2023. 

Share link:

Disclaimer. The information provided is not trading advice. Cryptopolitan.com holds no liability for any investments made based on the information provided on this page. We strongly recommend independent research and/or consultation with a qualified professional before making any investment decisions.

Most read

Loading Most Read articles...

Stay on top of crypto news, get daily updates in your inbox

Related News

Cryptopolitan
Subscribe to CryptoPolitan

Interested in launching your Web3 career and landing a high-paying job in 90 days?

Leading industry experts show you how with this brand new course: Crypto Career Launchpad

Join the early access list below and be the first to know when the course opens its doors. You’ll also save $100’s off the regular launch price.