The DEFI protocol MIM_SPELL lost more than $ 6 million by a hacker

Source: Beosin

On January 30, 2024, Beijing time, according to Beosin’s Eagleeye security risk monitoring, early warning and blocking platform monitoring display,The DEFI protocol MIM_SPELL was attacked by hackers Lightning loan, resulting in a loss of over 6 million US dollars.At present, the attacker will exchanges the stolen funds to ETH and transfer it to the two attackers’ addresses. Beosin Kyt will continue to monitor funds, and at the same time we analyze this vulnerability.

Vulnerability analysis

The main reason for this incident isThe attacker uses the project party contract to use the upward algorithm and control the parameter to 1. The maximum error control that will be taken up upward is used, which will lead to imbalances in the ledger.

There are two functions in the contract, which are BORROW and Repay, one is to borrow money from the contract, and the other is to pay the contract to the contract.

The BORROW function will specify the amount of borrowing, and the debt value is calculated by the proportional conversion, and the total debt value of the caller is updated.As shown in the figure below, the ADD algorithm of the contract here uses upwards.

The BORROW function will specify the repayment debt value, and the amount of repayment is calculated by the proportional conversion, and the repayment amount is transferred to the contract.As shown in the figure below, the SUB algorithm of the contract here still uses upwards.

Understand the process of borrowing and repayment, let’s see how hackers use the vulnerability.

The hacker first controlled the amount and debt value of the contract to 0 and 97 (how to control will be introduced in the next section).

Next, the BORROW and REPAY functions are not stopped, and the borrowing and repayment values ​​are 1. Finally, the amount of borrowing and debt value is controlled to 0 and 120080183818866665215049728, resulting in a serious imbalance.

According to the above code rules (elastic = 0, base = 97), when the attacker calls the BORROW once and is passed in 1, the two ledger will become elastic = 1, base = 98 (elastic is 0, and will increase according to the value synchronization.), When calling again and being passed into 1 again, it will become elastic = 2, base = 196 (when Elastic is not 0, it will be added in proportion to).

Next, the attacker calls the repay function to pass 1, and call the SUB function. At this time, the calculated elastic should be equal to 1*1/196 = & gt;Elastic = 1, base = 195.It can be seen that at this time Elastic is unchanged, but the base doubles.

The attacker uses multiple above methods to bring Elastic = 0, Base = 1200801838106866665215049728.Eventually borrowed a contract with more than 5 million mIM through a BORROW.

Attack process

Understand the function of the function, let’s take a look at how the attacker performs the attack (one of the transactions as an example).

1. The attacker first borrowed 300,000 MIMs.

2. Subsequently, the attacker query the amount and debt value in the callback function. It can be seen that at this time it is 240,000 and 230,000.

3. Next, the attacker calls the repayFrall function, returned 240,000 mIM tokens to control Elastic.

4. Next, the attacker returned the liabilities of other users through the REPAY function, and finally controlled the amount of loan and debt value to 0 and 97.

5. The attacker creates a new contract and controls the amount of borrowing and debt values ​​to 0 and 12008018381886665215049728 by appealing BORROW and REPAY.

6. Finally, 5 million mIM borrowed 5 million mIM through a BORROW and repaid lightning loan.

Fund tracking

As of press time, the stolen funds of over 6 million US dollars are exchanged for ETH, and the hacker address has not moved. The Beosin Kyt anti -money laundering platform will continue to monitor the funds.

  • Related Posts

    Pump.fun sends coins. Is it an opportunity or a harvest?

    Jessy, bitchain vision On July 12, Pump fun’s token Pump will be sold publicly.This public sale is a cooperation with many second-tier companies such as Kucoin, Bitget, MEXC, etc. The…

    The market is just a little bit better, WLFI is about to be unlocked

    Jessy, bitchain vision According to the official social media of World Liberty Financial (WLFI), it is developing a token transfer function. In mid-June this year, news that WLFI is about…

    Leave a Reply

    Your email address will not be published. Required fields are marked *

    You Missed

    Shanghai State-owned Assets Supervision and Administration Commission holds a study meeting on cryptocurrency and stablecoin

    • By jakiro
    • July 11, 2025
    • 0 views
    Shanghai State-owned Assets Supervision and Administration Commission holds a study meeting on cryptocurrency and stablecoin

    Beyond DeFi Summer: Is PayFi Summer coming soon?

    • By jakiro
    • July 10, 2025
    • 5 views
    Beyond DeFi Summer: Is PayFi Summer coming soon?

    Pump.fun sends coins. Is it an opportunity or a harvest?

    • By jakiro
    • July 10, 2025
    • 14 views
    Pump.fun sends coins. Is it an opportunity or a harvest?

    Focus on the CLARITY Act: A complete analysis of content, significance and industry evaluation

    • By jakiro
    • July 10, 2025
    • 19 views
    Focus on the CLARITY Act: A complete analysis of content, significance and industry evaluation

    Ethereum’s new vision

    • By jakiro
    • July 9, 2025
    • 31 views
    Ethereum’s new vision

    Top 10 core reasons for bullish Ethereum

    • By jakiro
    • July 8, 2025
    • 18 views
    Top 10 core reasons for bullish Ethereum
    Home
    News
    School
    Search