Another crypto exploit incident has been reported by blockchain investigator BlockSec Phalcon, citing nearly $133,000 worth of tokens drained in a suspected DeFi price manipulation.
Hackers drain TUR tokens on BNB Smart Chain
Neary $133,000 worth of TUR tokens were drained through a staking contract exploit on BSC or BNB Smart Chain. At the core of this incident is a spot-price dependency; a design system, where the smart contract calculates rewards using actual prices from a decentralized exchange.
The bad actor artificially pumped the price of TUR tokens in the TUR-NOBEL liquidity pool and drained $133,000 in tokens. Pools with thin liquidity are typically easy to exploit, and that’s what has happened here. And, having strong liquidity is one of the most important necessities for a crypto project, said XTrends co-founder Benjamin Notinini in an earlier interview with AltCoin Desk.
To avoid mixing up some concepts in this incident, spot price dependency happens when a contract blindly trusts the price of a token from a trading pool to make decisions, such as assessing rewards.
DeFi price manipulation refers to artificially changing the price of a token to trick a smart contract, and a staking contract is a smart contract where users lock their tokens to earn rewards.
A DeFi exploit through Sybil attack
Initially, the attacker artificially inflated the price of the TUR token in the liquidity pool through a series of swaps. In the next step, they staked TUR tokens into vulnerable smart contracts. As the hacker manipulated the price, the system began releasing tokens with unevenly high returns.
To note, stake contracts hold the reward pool in TUR tokens.
Instead of just using one account to claim rewards from the staking contract, the perpetrator used multiple accounts, including referred ones. To make it simpler, the attacker did not intrude into other user accounts; instead, they created multiple wallet addresses and linked them via their own referral codes.
Each account interacts with the staking contract to earn rewards. The exploiter used these accounts as tools to drain more funds.
This type of exploit is known as a Sybil attack, a security threat where a single exploiter pretends to be many users. Eventually, the malicious actor swapped the TUR tokens into USDT, draining nearly $133,000 in funds.
Hackers are latching onto DeFi’s weaker sides
BSC is designed for building DeFi apps, NFTs, and games, and for running smart contracts. Although this part looks bright, the permissionless nature of most DeFi protocols makes it unable to tell if one attacker owns 10 wallets or 10 people own 10 wallets. For context, BSC itself is not a DeFi protocol, but several protocols like PancakeSwap run on BSC.
This type of incident is not new in DeFi. AltCoin Desk has reported several such incidents, causing millions of losses. The patterns in similar DeFi hacks are somewhat similar: low or thin liquidity pools, dependency on the contract using spot price, and a hacker who is an expert in moving markets.
In DeFi, if math can be exploited, hackers will always find ways to take advantage of it.
