Chengdu Lianan 2022-04-03 10:49:01 阅读数:80
2022 year 4 month 2 Japan , Chengdu chain security chain Bing - Blockchain security situation awareness platform Public opinion monitoring shows that ,Inverse Finance The project is under attack , Cumulative loss estimate about 1500 Thousands of dollars . The Chengdu chain security technical team immediately analyzed the incident .
1 The analysis is as follows
Attack address 1：
Attack address 2：
Attack trading hash:
Attack contracts ：
First, the attacker starts from Tornado.Cash Take out 900 ETH To pull up INV Prepare price tokens .
Use by attackers 300 individual ETH, Exchange out 374 individual INV Tokens, , Reuse 200 ETH exchange 1372 individual INV Tokens, , Cumulative exchange 1746 individual INV Tokens, , Here you can find the first pool used 300 individual ETH Only exchange out 374 individual INV, And then use 200 ETH Exchange out 1372 INV Tokens, , The first pool WETH/INV Medium INV The price has been significantly raised .
In the calculation Xinv When the token price , rely on WETH/INV (0x328dfd0139e26cb0fef7b0742b49b0fe4325f821) This pair To calculate . because pair The pool has been manipulated , Plus timeElapsed The interval is short , Then the attacker needs to meet the requirement of calling..., which is not in the current block , You can use manipulated prices , Then you can manipulate xINV The value of the token .
You can see when the attack manipulates pair after , Just keep sending mint transaction , To ensure that you can maximize your time window . meanwhile , The attacker skilfully avoided the block that manipulated the price （14506358 ） Go to mint, Otherwise, the front block of the price manipulation block will be used to calculate the price .
Then the attacker directly put his own 1746 INV All tokens mint（ This is a mortgage ）, Exchange for 1156 individual xINV Tokens, （LP Tokens, ）, Then rely on what you hold xINV Lend a lot of tokens .
Inverse finance The cumulative loss of the project party is estimated to be about 1500 Thousands of dollars .
Here it is , Chengdu Lianan suggests that the project party Use a long enough time window , For example, you can refer to the following Uniswap Example code for ,timeElapsed Must be greater than 24 hours .
版权声明：本文为[Chengdu Lianan]所创，转载请带上原文链接，感谢。 https://netfreeman.com/2022/04/202204030934581737.html