Sep 2024 - Caterpillar Token Flash Loan Smart Contract Drain - $1.4m (Global)
Caterpillar Token (CUT) runs through a smart contract on the Binance Smart Chain, which was first launched in July 2024.
"Caterpillar Coin suffered a flashloan attack resulting in a loss of ~$1.4M and causing a 99% slippage on the token. The attack exploited vulnerabilities in the "price protection mechanisms", which led to the manipulation of token reserves and rewards."
"The attack appears to have followed a straightforward pattern: the attacker used a flash loan to borrow USDT from the USDT-WBNB pair, then ran a loop to create several contracts with the main attack logic running in the constructor. Before creating each contract, the exploiter transferred a large amount of USDT for the logic in the constructor to utilize."
"1. The attacker took out a 4.5 million USDT flashloan, swapped some for $CUT tokens, and added liquidity to the USDT-CUT pool.
2. Due to a flaw in the reward calculation process, the attacker was able to manipulate the token's reserves, significantly increasing their rewards.
3. By repeating this process, the attacker drained the liquidity pool, repaid the loan, and walked away with around $1.4M USD in profits."
The calculation is vulnerable to price manipulation and the exploiter abused this in order to gain extra $CUT tokens, sold them and gained ~$1.4m from the BUSD-CUT pancake pair.
The calculation is vulnerable to price manipulation and the exploiter abused this in order to gain extra $CUT tokens, sold them and gained ~$1.4m from the BUSD-CUT pancake pair.
Further Analysis
Caterpillar Token (CUT) runs through a smart contract on the Binance Smart Chain, which was first launched in July 2024. The project does not appear to have a website or other online presence. There is an account referenced for CUT2024CUT, however there is no evidence that this Twitter account ever existed. On September 10th, the smart contract was exploited via a Flash loan, allowing the exploiter to profit by a total of $1.4m USD. There is no evidence of any team response, investigation, or attempt to recover funds.
How Could This Have Been Prevented?
More Cryptocurrency Exchange Hacks/Scams/Frauds
Indodax Withdrawal System Exploited > > < < Render Network Founder Jules Urbach Twitter Hacked
Sources/Further Reading
BNB Smart Chain Transaction Hash (Txhash) Details | BscScan
(Dec 31)
https://www.thestreet.com/crypto/innovation/technical-weaknesses-in-smart-contracts-merit-targeted-security-solutions- (Dec 31)
CoinStats - Crypto hacks explode 8x in just one month—$11... (Dec 31)
https://www.cryptopolitan.com/crypto-hacks-rise-116m-stolen-in-september/ (Dec 31)
Crypto Hacks Surge in September 2024: Over $120 Million Lost (Dec 31)
Coinpedia Fintech News: Guest Post by CoinPedia News | CoinMarketCap (Dec 31)
Crypto Hack Weekly Report: Indodax Heist, Caterpillar Coin Collapse, and Apple's Deepfake Incident (Dec 31)
Over 20 Crypto Hacks in September 2024: Here’s How Much Was Stolen: Guest Post by CryptoPotato_News | CoinMarketCap (Dec 31)
BEP20USDT | Address 0x7057f3b0f4d0649b428f0d8378a8a0e7d21d36a7 | BscScan
(Dec 31)
https://dexscreener.com/bsc/0x83681f67069a154815a0c6c2c97e2daca6ed3249 (Dec 31)
CUT/USDT - CUT Price on Pancakeswap V2 (BSC) | GeckoTerminal (Dec 31)
CUT/USDT Real-time On-chain PancakeSwap v2 (BSC) DEX Data (Dec 31)
Cut Incident - Price Manipulation - by lifebow - Verichains (Dec 31)
@CertiK_CN Twitter (Dec 31)
@TenArmorAlert Twitter (Dec 31)
@0xCommitAudits Twitter (Dec 31)
@MetaTrustAlert Twitter (Dec 31)
@EXVULSEC Twitter (Dec 31)
Caterpillar Coin hit by flashloan attack | YOGENDRA SINGH DIWAN posted on the topic | LinkedIn (Dec 31)
BlockThreat - Week 37, 2024 (Dec 31)
Crypto Hack Weekly Report: Indodax Heist, Caterpillar Coin Collapse, and Apple’s Deepfake Incident (Dec 31)
Month in Review: Top DeFi Hacks of September 2024 (Dec 31)
https://www.certik.com/resources/blog/caterpillar-coin-cut-token-incident-analysis (Dec 31)
 t.me/QuadrigaInitiative
|
 /r/QuadrigaInitiative
|
 @QuadrigaInit
|
 info@quadrigainitiative.com
|