Attacker\u00e2\u20ac\u2122s Addresses:<\/strong> Contracts Involved <\/strong><\/p>\n\n\n\n The core of the exploit lies in the LockToken contract’s ‘migrate’<\/strong> function. The checks and validations in this function were weak, enabling the attacker to bypass them with ease and manipulate prices during the migration phase.<\/p>\n\n\n\n The attacker deployed the attack contract and also generated “token A” through the token contract 0x2d4abfdcd1385951df4317f9f3463fb11b9a31df.<\/p>\n\n\n\n The lockToken function within the LockToken contract allows users to secure their tokens and subsequently generate an NFT serving as a Liquidity Provider (LP) token. The `extendLockDuration` function in the LockToken contract was used to adjust the locking time for each of the NFT tokens.<\/p>\n\n\n\n The attack contract initiated a query to the LockToken contract, aiming to determine the specific number of LP tokens. This data extraction was pivotal as it formed an integral part of the parameters required to execute the attack successfully.<\/p>\n\n\n\n Leveraging the NFTs acquired in earlier stages, the attacker invoked the migrate function. This orchestrated action served two malicious purposes:<\/p>\n\n\n\n The preparations using the NFTs allowed the attacker to sidestep various validations embedded in the migrate function. Specifically:<\/p>\n\n\n\n As a result, the NFT id that was obtained by locking the token A was now primed to engage in the migration of the FEG-WETH token pair. This occurred despite the absence of checks confirming if the user\u00e2\u20ac\u2122s locked token matched the one currently in operation.<\/p>\n\n\n\n The attacker had the ability to input the sqrtPriceX96 parameter, which is integral to the price calculation during the UNI-V3 migration. This not only intensified the exploit but also gave the attacker undue advantage over price adjustments.<\/p>\n\n\n\n Post-exploitation, the attacker mobilized the pre-configured NFTs to secure migration refunds for four specific tokens. These were:<\/p>\n\n\n\n These refunded tokens, which were an illicit gain from the exploit, were promptly sent to the address: 0xBa399a2580785A2dEd740F5e30EC89Fb3E617e6E.<\/p>\n\n\n\n The stolen funds of this attack are divided as:<\/p>\n\n\n\n The combined value of these stolen funds was around $14.5 million.<\/p>\n\n\n\n Subsequent to the exploit, which totaled a staggering $14.5 million, the attacker returned approximately $7 million in stolen tokens. The attacker identified themselves as a \u00e2\u20ac\u0153whitehat\u00e2\u20ac\u009d within transaction remarks. <\/p>\n\n\n\n Here are the returned amounts:<\/p>\n\n\n\n The Team Finance exploit underlines the imperative for robust security protocols and continuous vulnerability assessments in the realm of smart contract design and deployment. <\/p>\n\n\n\n The subsequent actions by the attacker, who self-identified as a “whitehat”, bring forth the intricate nature of cybersecurity within the blockchain ecosystem.<\/p>\n\n\n\n
0x161cebB807Ac181d5303A4cCec2FC580CC5899Fd
0xBa399a2580785A2dEd740F5e30EC89Fb3E617e6E<\/p>\n\n\n\nVulnerability Analysis<\/h3>\n\n\n\n
![\"\"](\"https:\/\/www.trustrecipe.in\/wp-content\/uploads\/2023\/10\/Team-Finance-Exploit-Oct-2022-1-1024x686.png\")
<\/figure>\n\n\n\n
The migrate function within the compromised LockToken contract facilitates the transition of specific liquidity from Uniswap-V2 to Uniswap-V3 for users. Post-migration, users receive a portion of the tokens as a refund, determined by the prevailing price. To invoke this function, parameters such as lock ID, the duration of the lock, and a designated withdrawal address are necessary.<\/p>\n\n\n\n![\"\"](\"https:\/\/www.trustrecipe.in\/wp-content\/uploads\/2023\/10\/Team-Finance-Exploit-Oct-2022-2-1024x686.png\")
<\/figure>\n\n\n\nAttack Flow<\/h3>\n\n\n\n
Pre-attack Preparations<\/strong><\/h4>\n\n\n\n
Token Locking<\/strong><\/h4>\n\n\n\n
It provides users the latitude to specify details, including the token type, quantity, withdrawal address, and the duration of the lock.
In this specific exploit, the attacker leveraged this function to lock ‘token A’, designating the withdrawal to the attack contract’s address. This action resulted in the creation of four distinct NFTs, bearing the LP ids 15324, 15325, 15326, and 15327.<\/p>\n\n\n\n![\"\"\/](\"https:\/\/lh7-us.googleusercontent.com\/OZC0iJ7t2SKDOniIHaIrD1EqHTn7U1oQCnREBcNvDbIB-Fzov4abadXZB64JlpmGrpKmwqwWNz5Y-Xw1SJAUemy3ZxtbwOphmZVjWATDktlxcoPEgbxUR2zsgycofZ82SHCXtkA1JJOpELy-FwZ8bQY\")
Locking Time Adjustment<\/strong><\/h4>\n\n\n\n
![\"\"\/](\"https:\/\/lh7-us.googleusercontent.com\/bD2BT8JdvIdPFrF3v95rKxGEKVBQ3YHjZouZoOW4QUooYazdxBFhG1Mfo0VzaUoTFWLAPY3b8qIwjLzok3y8QxAZknRPxmKg26FhRefF-mCPLB-1WuYgIDT5526-PjJFatPwVT_o3pDZePJPZQIa5qE\")
Migration Preparations<\/strong><\/h4>\n\n\n\n
![\"\"](\"https:\/\/www.trustrecipe.in\/wp-content\/uploads\/2023\/10\/Team-Finance-Exploit-Oct-2022-3-1024x686.png\")
<\/figure>\n\n\n\nExploitation Through Migrate Function<\/strong><\/h4>\n\n\n\n
![\"\"](\"https:\/\/www.trustrecipe.in\/wp-content\/uploads\/2023\/10\/Team-Finance-Exploit-Oct-2022-4-1024x686.png\")
<\/figure>\n\n\n\nBypassing Safeguards<\/strong><\/h4>\n\n\n\n
![\"\"](\"https:\/\/www.trustrecipe.in\/wp-content\/uploads\/2023\/10\/Team-Finance-Exploit-Oct-2022-5-1024x686.png\")
<\/figure>\n\n\n\nPrice Manipulation<\/strong><\/h4>\n\n\n\n
Funds Transfer<\/h4>\n\n\n\n
Impact Analysis<\/h3>\n\n\n\n
Post-Incident Update<\/h3>\n\n\n\n
Conclusion<\/h4>\n\n\n\n