Decoding Ocean BNO’s $500k Exploit

Published on: June 17, 20243 Mins Read

Author:

Summary


On the 18th of July 2023, Ocean BNO on the Binance Smart Chain was attacked. The attack was made possible by a smart contract vulnerability. And around $500k worth of BNO tokens was swapped to BUSD by the attacker.


About Project


Ocean Nft is a blockchain-based NFT MarketPlace. For more information, check out their website.


Vulnerability Analysis & Impact


On-Chain Details

Attacker Address: 0xA6566574eDC60D7B2AdbacEdB71D5142cf2677fB

Victim Contract: 0xD138b9a58D3e5f4be1CD5eC90B66310e241C13CD

Attack Transaction: 0x33fed54de490797b99b2fc7a159e43af57e9e6bdefc2c2d052dc814cfe0096b9


The Root Cause

  • The root cause for the exploit was an incorrect record of rewards for NFT and ERC20 tokens.
  • Withdrawing of staked NFT didn’t happen during the execution of Emergency Withdrawl, and rewardDebt was set to 0.
  • This resulted in NFT becoming reclaimable even when the stake was cancelled
  • The attacker was able to exploit emergencyWithdraw() function to clear the user’s reward debt to zero and make a profit for himself.

root cause

Attack Process

  • Firstly, the attacker stakes NFTs and BNO tokens through stakedNFT() and pledge() functions.

attack process1
  • Then the attacker called emergencyWithdraw function

attack process2
  • This allows him to unstake NFT while simultaneously getting the rewards.

attack process3
  • The process was repeated several times to increase profit.
  • Finally, the exploiter swapped the rewards into BUSD.

attack process4

Flow of Funds

Most of the funds were sent to this address – 0xdc109426972ae14d5b3d7e91b47d42ff1fd3c8cc

For more details, check here.


flow of funds

Attacker’s Wallets

Here is a snippet of the attacker’s wallet. Check the complete details here.


attacker wallet

After the Exploit


  • The Project has not acknowledged the attack at the time of writing this postmortem.

Incident Timelines

Jul-18-2023 12:57:13 AM +UTC) – The attack started.

Jul-18-2023 12:57:13 AM +UTC – Exploiter swapped his profit for $504k BUSD


Price Impact

The price of the BNO token dropped by 99% from $4.0 to $0.04 immediately following the attack.


price impact


How could they have prevented the Exploit?


When dealing with a contract that accommodates multiple token standards, it is essential to ensure that the business logic and mathematical operations for each token are accounted for and managed independently.

To guarantee the accuracy and functionality of the code, it is crucial to write comprehensive test cases that thoroughly cover all potential business scenarios.


Why QuillAudits For Web3 Security?

  • QuillAudits is well-equipped with tools and expertise to provide cybersecurity solutions saving the loss of hundreds of protocols in funds.
  • Our team of highly skilled auditors have secured over 1M lines of code and $30B in amount.
  • Over the course of multiple years, QuillAudits has been proven to be one of the top choices for protocols to get their codebases audited.

Partner with QuillAudits

  • OG Program (Opportunities for Listing Managers, KOLs, Top Advisors and Investors with access to early stage Web3 projects)
  • WAGSI Program(Claim audit credits to avail exclusive discounts on our auditing package, and additional credits for our automated web3 security infra- QuillShield)
SUPPORT

Need Integration Support?

Talk to an expert

QUILLSHIELD

Explore QuillShield

Get Free Audit Credits

QUILLCHECK

Visit QuillCheck

Detect Rug Pulls on the Go

Subscribe to our Newsletter

Your weekly dose of Web3 innovation and security, featuring blockchain updates, developer insights, curated knowledge, security resources, and hack alerts. Stay ahead in Web3!