2024 04 25 NGFS Attack Incident

Louis Tsai Lv1
  2024-09-14 23:36:47 2024-09-14 23:36:47 Created   2024-12-12 08:50:51 2024-12-12 08:50:51 Updated  

0x00 Summary

On April 25, 2024, NGFS Token suffered a substantial loss (~190K USD) shortly after the contract was deployed (it was deployed ~2 days ago). The primary reason for this was the inadequate access control for a crucial function, NGFSToken::delegateCallReserves.

0x01 Introduction

The victim token in the incident is FENGSHOU (NGFS), and the exploitation process is straightforward - The NGFSToken::delegateCallReserves function lacks access control, allowing arbitrary configuration of the _uniswapV2Proxy variable. By leveraging this vulnerability, the attacker manipulates the _uniswapV2Library variable and ultimately adjusts their token balance through NGFSToken::reserveMultiSync.

The transaction hash is 0x8ff764dde572928c353716358e271638fa05af54be69f043df72ad9ad054de25 on Binance Smart Chain.

The fund flow and transaction is straightforward: all funds were transferred from the NGFS token and subsequently exchanged back to the attacker’s contract via PancakeSwap.

Transaction Invocation Flow

Attacker Address: 0xd03d360dfc1dac7935e114d564a088077e6754a0

Attacker Contract: 0xc73781107d086754314f7720ca14ab8c5ad035e4

Victim Contract: 0xa608985f5b40cdf6862bec775207f84280a91e3a

0x02 Timeline

2024-04-23 09:45:54 (UTC), the NGFS token was created

2024-04-25 11:18:05 (UTC), the attack was initiated and completed

0x03 Root Cause

The invocation flow is as follows, and it is not complicated:

  1. The attacker initially sets the _uniswapV2Proxy to the attacker contract through NGFSToken::delegateCallReserves. Despite the expectation that this variable should be set during the deployment process, or should be set by admin, the NGFSToken::uniswapV2Dele value remains false, and there is no access control for the function, enabling the attacker to bypass the require statement.

delegateCallReserves function

  1. Subsequently, NGFSToken::setProxySync is invoked. As the attacker contract is now designated as _uniswapV2Proxy, it can configure the _uniswapV2Library value to itself.

setProxySync

  1. Finally, since the attacker contract address is also designated as the _uniswapV2Library, the token balance can be arbitrarily updated through NGFSToken::reserveMultiSync.

The attacker then swaps the tokens from NGFS token to BSC token and transfers them back to themselves.

0x04 Proof 0f Concept

A proof-of-concept is provided on DeFiHackLabs , which you can review it there.

0x05 Lesson Learned

Always be cautious with any critical function!

In this scenario, if the _uniswapV2Proxy value is meant to be set only once, developers can configure it in the constructor and marking the value as immutable mutability. Another mitigation strategy is to incorporate an onlyOwner modifier or other access control-related modifier to the function. These measures help enhance the security of the contract and mitigate the risk of unauthorized access or manipulation.

0x06 Reference

[1] Certik Alert

  • Title: 2024 04 25 NGFS Attack Incident
  • Author: Louis Tsai
  • Created at : 2024-09-14 23:36:47
  • Updated at : 2024-12-12 08:50:51
  • Link: https://redefine-nine.vercel.app/2024/09/14/2024-04-25-NGFS-Exploit/
  • License: This work is licensed under CC BY-NC-SA 4.0.
Comments
On this page
2024 04 25 NGFS Attack Incident
  1. 0x00 Summary
  2. 0x01 Introduction
  3. 0x02 Timeline
  4. 0x03 Root Cause
  5. 0x04 Proof 0f Concept
  6. 0x05 Lesson Learned
  7. 0x06 Reference