Today morning Paraluni was exploited in a series of txs. One of the tx is 0x70f367b9420ac2654a5223cc311c7f9c361736a39fd4e7dff9ed1b85bab7ad54. The exploit lead to the gain of ~$1.7M for the hacker.
According to our PeckShield, the hack is made possible due to a reentrancy bug (introduced by the use of a crafted token contract) in the depositByAddLiquidity() function, which somehow doubles the credits the hacker is able to claim as one can see in the below image.
To illustrate further the hack tx was used and the key steps were taken out. The hacker first Flashloan 156,984 USDT and 157,210 WBNB. Then used ParaRouter addLiquidity (156,984 USDT and 157,210 WBNB) to UBT and get 155,935 LP_USDT_BUSD. The hacker then deposited fund by DepositByAddLiquidity into MasterChef by _tokens=[UGT, UBT]. The next step hacker did was ParaRouter. addLiquidity (tokenA=UGT, tokenB=UBT) then hacker reentrancy from UBT transferFrom to call Masterchef. deposit 155,935 LP_USDT_BUSD to UBT and receive 1 Para-LP_UGT_UBT.
The next step was UBT.withdrawAsset from MasterChef 155,935 LP_USDT_BUSD to UBT, then to hacker contract. The next step used is to Withdraw 155,935 LP USDT BUSD from MasterChef and then Remove liquidity tokenA=USDT, tokenB=BUSD USDT. transfer 312,399, BUSD 312,848. Then the hacker Flashloan repay 157,457 USDT and 157,683 BUSD. The next and last step was to transfer Profit 154,942 USDT and 155,165 BUSD to the hacker account.
The initial funds to launch the hack are withdrawn from TornadoCash. The result gains are swapped via PancakeSwap, and still stay in the hacker’s account (0x94bc1d555e63eea23fe7fdbf937ef3f9ac5fcf8f). We are actively monitoring this address for any movement.
UPDATE: Currently 230 ETH has been transferred into TornadoCash from exploiters.