DeFi hackers hit BNB Chain-based meme coin launchpad 4.Meme Tuesday morning, forcing the suspension of its token liquidity pool on PancakeSwap.
The assault was initially flagged by blockchain safety agency SlowMist, which revealed the 4.Meme exploit was carried out utilizing a vulnerability within the platform’s sensible contract.
The attacker exploited a important flaw in 4.Meme’s liquidity mechanism that enabled them to “bypass switch restrictions and manipulate liquidity pool pricing,” sensible contract audit agency QuillAudits advised Decrypt.
This marks the second time within the final two months that 4.Meme has skilled an assault, which beforehand noticed $183,000 stolen resulting from a special vulnerability that allowed a nasty actor to govern liquidity on PancakeSwap.
How the exploit labored
On this event, the attacker first acquired a small quantity of 4.Meme tokens earlier than the official launch utilizing the “0x7f79f6df” perform.
“As an alternative of holding or transferring them historically, they despatched the tokens to a non-existent PancakeSwap Pair handle,” QuillAudits’ report stated.
Like many decentralized exchanges, PancakeSwap, which lately noticed a surge in recognition, wants a particular handle (known as a pair handle) to match up the 2 tokens in a buying and selling pair (for instance, 4.Meme tokens and BNB).
Usually, this handle is created when the tokens are launched and traded.
On this case, the attacker despatched the tokens to an handle that did not exist but—which means the pair for the 4.Meme token on PancakeSwap hadn’t been created.
For the reason that pair handle didn’t but exist, the attacker was capable of create it themselves. By doing so, the attacker was ready so as to add liquidity (tokens for buying and selling) at an incorrect value, which allow them to manipulate the system and steal funds from the liquidity pool.
The hacker withdrew 69 BNB from a FixedFloat scorching pockets “0x47…c95,” three days earlier than the assault. They deployed a number of contracts to facilitate the assault.
The attacker then despatched the stolen 67.3 BNB to 1 pockets handle, “0x4c…805,” and 205 BNB to a different, “0x88…456,” the report famous. The 205 BNB was then break up and moved throughout 4 wallets.
Following the assault on the meme coin platform, the stolen funds of over $174k had been moved throughout a number of wallets to obfuscate the path.
The hacker then laundered the stolen funds by way of PancakeSwap’s $BROCCOLLI 3 contract, QuillAudits stated.
A complete of 192 WBNB was swapped and distributed throughout a number of PancakeSwap contracts, together with PancakeSwap DCA 32 (0x77C1dF8…), PancakeSwap MuBrocolli (0xcaC54d89…), and others.
4.Meme’s response
In response to the breach, 4.Meme halted the launch perform and issued an emergency assertion.
“We’ll compensate affected customers and supply a injury submission type to gather related data,” the platform tweeted on Tuesday.
A number of hours later, 4.Meme introduced that operations had resumed after the platform had performed safety checks, asking affected customers to file their claims.
4.Meme’s platform has seen a big enhance in exercise since its creation, with a complete of 74,607 distinctive tokens being launched on the platform, per information from Dune Analytics.
Whereas the platform has taken steps to stop future incidents, each assaults level to the continuing dangers dealing with decentralized platforms, particularly these dealing with massive quantities of liquidity in meme coin markets.
Final month, zkLend, a decentralized cash lending platform on the Starknet blockchain, fell sufferer to a serious assault, dropping $9.5 million in crypto property.
zkLend later supplied the hacker a ten% bounty (round 3,300 ETH, value roughly $8.78 million) in alternate for the return of the stolen funds.
Day by day Debrief E-newsletter
Begin daily with the highest information tales proper now, plus authentic options, a podcast, movies and extra.
