According to CertiK, an attacker’s account utilized an unreadable function to transfer $1.4m worth of BSC-USD without burning the equivalent LP tokens. The blockchain insights and security platform revealed that the BSC-USD was drained on September 10 from a liquidity pool holding CUT tokens.
CertiK claimed that the CUT token contract relied on a separate unverified contract to set its “future yield parameter,” allowing the extraction of the BSC-USD through mysterious methods in four separate transactions. According to CertiK, the exploited CUT token differed from the Crypto Unit project with the same ticker symbol but located at a different address ending in “36a7” on the Binance Smart Chain. The affected pair was “0x83681F67069A154815a0c6C2C97e2dAca6eD3249,” as per CertiK’s findings.
Exploit with CUT tokens leads to over $1.4 million in losses
We have seen a flashloan exploit involving CUT token
BSC: 0x7057F3b0F4D0649B428F0D8378A8a0E7D21d36a7
The CUT contract uses ILPFutureYieldContract(_lpFutureYieldContractAddress) at 0x0917914b0A70ee7F1f2460Fcd487696856E31154 which is unverified and contains… pic.twitter.com/ycE4Px3Nxy
— CertiK Alert (@CertiKAlert) September 10, 2024
CertiK uncovered a flashloan exploit involving a CUT token contract using “ILPFutureYieldContract(_lpFutureYieldContractAddress) at 0x0917914b0A70ee7F1f2460Fcd487696856E31154,” which was unverified and contained hidden functionality. The crypto security platform affirmed that the attacker manipulated CUT using FutureYield to gain nearly $1.4 million from the BUSD-CUT pancake pair. CertiK confirmed that the funds were currently held at “0x5766d1F03378f50c7c981c014Ed5e5A8124f38A4.”
Certik disclosed that the drained pool was part of the Pancakeswap exchange, but no other Pancakeswap pools were affected. Blockchain data revealed that the attacker carried out four separate transactions to remove the $1,448,974 from a BSC-USD pool. CertiK asserted that it was alerted of the illegitimate transaction since the attacker neither made any deposits to the pool nor owned any liquidity provider tokens.
As per CertiK’s report, the attacker called the “0x7a50b2b8” function that did not exist in the token contract. The report unveiled that the attacker must have called “ILPFutureYieldContract(),” allowing the calling of another function on an entirely separate unverified contract with an address ending in “1154,” showing only an unreadable bytecode. In this case, CUT liquidity providers collectively lost $1.4m due to the exploit.
Crypto exploits on the rise in 2024 with over $310M in August losses
Data from CertiK showed that over $310 million was lost to a combination of hacks, scams, and exploits in August 2024. The data confirmed this was the second-highest monthly loss in 2024. According to the data, ~$0.8 million was lost to exit scams, ~$1.2 million to flash loans, and $308.8 million to exploits, while only $10.3 million had been recovered.
CertiK’s data revealed that phishing victims had lost a total of $293 million. Notably, top flash loan attacks in August resulted in losses for Vow ($1.2M), MintStakeShare ($33.5K), and Satoshi ($5K), while the top exit scams resulted in losses for Grimace token ($649K), Sigma (136K), and Mbappe token ($88K). The top exploits in August were experienced by the Ronin Network ($11.8M), Nexera (448.8K), Convergence ($210K), iVest DAO ($172K), and AAVE Periphery Ctr ($64K).
Immunefi disclosed that over $1.2 billion was lost to crypto hackers in 2024, representing a 15.5% rise compared to the same period in 2023.