Jan 2025 - AST Token Incorrect Transfer Logic When Removing Liquidity - $65k (Global)
The AST token was launched on the Binance Smart Chain on January 17th.
Unfortunately the smart contract was launched with a vulnerability which could be exploited by removing liquidity. When remove liquidity from pancake pair, AST token decreases pancake pair balance and burn tokens of pancake pair, not increase user's balance. This means AST token balance of pancake pair decreased 2 times.
"AST token on BSC was hacked because of wrong transfer logic. When remove liquidity from pancake pair, AST token decreases pancake pair balance and burn tokens of pancake pair, not increase user's balance. This means AST token balance of pancake pair decreased 2 times."
"Hacker exchanged a huge amount of USDT to AST, small amount of AST remained in pancake pair. Then, he transferred some USDT and AST to pancake pair, and called "skim", AST balance of pancake pair decreased to 1. Then, he was able to drain all USDT using a few AST tokens. He gained $65k."
SlowMist: "Amount of loss: $ 64,700"
Nick L Franklin: $65k.
"According to monitoring by the SlowMist security team, AST was allegedly attacked on BSC."
"SlowMist Security Alert We detected potential suspicious activity related to $AST. As always, stay vigilant!"
"The attacker has transferred the funds to Tornado.Cash."
Further Analysis
The AST token, launched on the Binance Smart Chain on January 17, 2025, was exploited due to a vulnerability in its smart contract. The issue involved the removal of liquidity from the PancakeSwap pair, which resulted in a decrease in the AST token balance rather than increasing the user's balance. A hacker took advantage of this flaw by exchanging a large amount of USDT for AST, draining around $65k from the liquidity pool by exploiting the token’s transfer logic. The attacker transferred the funds to Tornado.Cash. The exploit was detected and monitored by SlowMist, TenArmorAlerts, and Nick L Franklin, who published further information. It is unclear who runs the AST token and whether any assistance has been made available for affected users.
How Could This Have Been Prevented?
More Cryptocurrency Exchange Hacks/Scams/Frauds
Nasdaq Stonks Token Rug Pull Turns Into Community CTO > > < < AdsPower Browser Extension Code Injection Supply Chain Attack
Sources/Further Reading
SlowMist - "SlowMist Security Alert We detected potential suspicious activity related to $AST. As always, stay vigilant!" - Twitter/X (Dec 31)
AST Token Smart Contract - BSCScan (Dec 31)
AST Token Launch Transaction - BSCScan (Dec 31)
Exploit Transaction - BSCScan (Dec 31)
Nick L Franklin - "AST token on BSC was hacked because of wrong transfer logic. When remove liquidity from pancake pair, AST token decreases pancake pair balance and burn tokens of pancake pair, not increase user's balance. This means AST token ba...ter/X (Dec 31)
https://app.blocksec.com/explorer/tx/bsc/0x80dd9362d211722b578af72d551f0a68e0dc1b1e077805353970b2f65e793927 (Dec 31)
AST token hacked. – Defi hack analysis (Dec 31)
Audit911 - "Now you can find a vulnerability worth ~60k in just 5 minutes. AI auditing subverts the industry." - Twitter/X (Dec 31)
Ten Armor Alert - "Our system has detected a suspicious attack involving #AST on #BSC, resulting in an approximately loss of $64.7K." - Twitter/X (Dec 31)
Another Transaction By Attacker - BSCScan (Dec 31)
AST( AST ) Price and Market Stats | TheBitTimes.Com (Dec 31)
https://apespace.io/bsc/0xc10e0319337c7f83342424df72e73a70a29579b2 (Dec 31)
 t.me/QuadrigaInitiative
|
 /r/QuadrigaInitiative
|
 @QuadrigaInit
|
 info@quadrigainitiative.com
|