In this contract, attacker by buying 112 USDT and then buying 101 TCR using USDT and selling 101 TCR, the hacker obtained 600K USDT.
https://etherscan.io/tx/0x81e9918e248d14d78ff7b697355fd9f456c6d7881486ed14fdfb69db16631154
https://etherscan.io/token/0xe38b72d6595fd3885d1d2f770aa23e94757f91a1#code#L159
The root cause of this problem is in the burnFrom function. This implementation allows any account A to burn tokens from any other account B if account A approves that number of tokens to B.
Hacker Approved huge amount of tokens to Uniswap pool. In the next step, he buys 101 TCR. Then he uses this bug to burn TCR owned by the pool and as a result the price of TCR increases. In the end, he sells the TCRs he bought.
```
require(_allowance[msg.sender][from] >= amount, ERROR_ATL);
```
You can easily write a rule for this pattern with the @semgrep tool and find all similar cases.
CryptoAudit
npub1mt…6mdys
2024-09-17 18:02:54
Author Public Key
npub1mtmlfn9c7sff6zfutdedj3prmrlhdwy5mne83xf34f3v7s57jknqs6mdysSeen on
wss://relay.nostr.bandPublished at
2024-09-17 18:02:54Event JSON
{
"id": "ca32987167ccb2854867783fd95f2c9fa0e500b19177b00b5b38054ece73f37a",
"pubkey": "daf7f4ccb8f4129d093c5b72d94423d8ff76b894dcf2789931aa62cf429e95a6",
"created_at": 1726596174,
"kind": 1,
"tags": [
[
"r",
"https://etherscan.io/tx/0x81e9918e248d14d78ff7b697355fd9f456c6d7881486ed14fdfb69db16631154"
],
[
"r",
"https://etherscan.io/token/0xe38b72d6595fd3885d1d2f770aa23e94757f91a1#code#L159"
],
[
"r",
"msg.sender"
]
],
"content": "In this contract, attacker by buying 112 USDT and then buying 101 TCR using USDT and selling 101 TCR, the hacker obtained 600K USDT.\n\nhttps://etherscan.io/tx/0x81e9918e248d14d78ff7b697355fd9f456c6d7881486ed14fdfb69db16631154\nhttps://etherscan.io/token/0xe38b72d6595fd3885d1d2f770aa23e94757f91a1#code#L159\n\nThe root cause of this problem is in the burnFrom function. This implementation allows any account A to burn tokens from any other account B if account A approves that number of tokens to B.\n\nHacker Approved huge amount of tokens to Uniswap pool. In the next step, he buys 101 TCR. Then he uses this bug to burn TCR owned by the pool and as a result the price of TCR increases. In the end, he sells the TCRs he bought.\n\n```\nrequire(_allowance[msg.sender][from] \u003e= amount, ERROR_ATL);\n```\n\nYou can easily write a rule for this pattern with the @semgrep tool and find all similar cases.",
"sig": "802bba0fa4dbfb1f2ef1470a7f2dd9ba69fbfbe4111d66278fd384c6f7421e1a8fd56de9ddedb0f70e7b06f13869748e491595ac19484c720d21f0ce50c3415e"
}