Hack事件简介项目方在BSC上的XSD-WBNB池子被黑客攻击
项目方在BSC上的XSD-WBNB 池子被黑客攻击, 攻击交易为: https://bscscan.com/tx/0xbdf76f22c41fe212f07e24ca7266d436ef4517dc1395077fabf8125ebe304442 整个的攻击思路可以梳理如下:
XSD-WBNB pool: 基本上是一个UniV2的仿盘 rotuer中的swapXSDForETH函数中,
//approve router to use users xsd
//burn 10% of XSD when uXSD is +ve
function swapXSDForETH(uint amountOut, uint amountInMax)
external
override
{
require(!swap_paused, "Swaps have been paused");
(uint reserveA, uint reserveB, ) = IXSDWETHpool(XSDWETH_pool_address).getReserves();
uint amounts = BankXLibrary.quote(amountOut, reserveB, reserveA);
require(amounts <= amountInMax, 'BankXRouter: EXCESSIVE_INPUT_AMOUNT');
TransferHelper.safeTransferFrom(
xsd_address, msg.sender, XSDWETH_pool_address, amountInMax
);
XSDWETHpool(XSDWETH_pool_address).swap(0, amountOut, address(this));
//function will fail if conditions are not met
//XSDWETHpool(XSDWETH_pool_address).flush();
IWBNB(WETH).withdraw(amountOut);
TransferHelper.safeTransferETH(msg.sender, amountOut);
//burn xsd here
//value of xsd liquidity pool has to be greater than 20% of the total xsd value
if(XSD.totalSupply()-CollateralPool(payable(collateral_pool_address)).collat_XSD()>amountOut/10 && !pid_controller.bucket1()){
XSD.burnpoolXSD(amountInMax/10);
}
refreshPID();
}
refershPID()里面的逻辑是什么
function refreshPID() internal{
if(block.timestamp>(last_called+pid_cooldown)){
pid_controller.systemCalculations();
last_called = block.timestamp;
}
}
pid_controller: https://bscscan.com/address/0x82a6405B9C38Eb1d012c7B06642dcb3D7792981B#code 初步看, systemCalculations函数里:
通过拉高xsd的spot price改变collat_xsd的值, 使其能通过if条件的检查.
router的swapXSDForETH函数中,存在XSD.burnpoolXSD的逻辑, 也就意味着可以通过这个函数去额外的burn掉池子中的XSD, 从而拉偏XSD的价格. 最简单的思路是 swapETHforXSD得到XSD, 然后burn掉池子中的XSD, 然后sync, 最后把XSD dump到池子里swap成ETH. 这里的挑战是burn池子的XSD这个逻辑在swapXSDForETH中, 希望能够burn掉尽可能多的XSD,但是不通过swap移动曲线. 幸运的是, swapXSDForETH中, 首先完成swap, 然后把ETH打出, 最后才是burn XSD. 我们可以在ETH打出后的fallback函数里, 将简单思路的逻辑插入执行. 于是整体思路变成:
这里为了能够顺利进入到burn逻辑里, 在fallback函数中额外执行了pid_controller.systemCalculations();操作.
如果觉得我的文章对您有用,请随意打赏。你的支持将鼓励我继续创作!