QI Quadriga Initiative

Oct 2024 - Fire Token Burn Mechanism Exploited - $24k (Global)

Fire Token is a smart contract without any known social media presence or website. It is unrelated to the firetoken.ca website. The smart contract address is 0x18775475f50557b96c63e8bbf7d75bfeb412082d.

"The FireToken contract implemented a burning mechanism that removed tokens from the circulating supply during transfers. When tokens were transferred to the Uniswap liquidity pool, the `_transfer()` function reduced the pool’s balance by transferring a portion of the tokens to the `DEAD_ADDRESS` (burn address). Immediately after the transfer, the function called `sync()` to update the pool’s reserves."

"Whenever a transfer was made to the Uniswap pair, the `_transfer()` function burned some of the tokens, decreasing the number of FireTokens in the pool. According to Uniswap’s constant product formula (x * y = k), reducing the FireToken reserves in the pool (while keeping the ETH reserves constant) caused the perceived price of FireTokens to drop. The formula implies that as one asset’s reserve (FireToken) decreases, the other asset (ETH) appears more valuable, leading to a price discrepancy."

"The attacker exploited this by repeatedly transferring FireTokens to the Uniswap liquidity pool, artificially reducing the pool’s FireToken reserves with each transfer. After each burn, the attacker executed swaps, acquiring small amounts of ETH for a disproportionately large number of FireTokens, as the artificially low reserves made the price appear lower than it was."

"By continuously reducing the FireToken reserves through this burning and syncing process, the attacker manipulated the price multiple times, accumulating approximately $24,000 in profit shortly after the contract’s launch"

"The Fire ($FIRE) token on Ethereum was exploited just 24 seconds after its launch, resulting in the theft of 9 ETH (approximately $24,000). The root cause was related to the token burn mechanism within the transfer() function."

Further Analysis

Fire Token is a smart contract without any known social media presence or website. The smart contract was implemented and exploited on October 1st, immediately after launch. This was due to an error in the burn mechanism of the smart contract. There were 9 ETH lost, with a value of $24k.

How Could This Have Been Prevented?

More Cryptocurrency Exchange Hacks/Scams/Frauds

Cryptobottle WithdrawUserLiquidity Missing Access Control > > < < Bedrock SigmaSupplier uniBTC Forging Exploit

Sources/Further Reading

SlowMist Hacked - SlowMist Zone (Dec 31)
Ethereum Transaction Hash (Txhash) Details | Etherscan (Dec 31)
Fire Token Hack Analysis. Overview: | by Shashank | Oct, 2024 | SolidityScan (Dec 31)
Fire (FIRE) Token Tracker | Etherscan (Dec 31)
@CertiKAlert Twitter (Dec 31)

Join Us!

 Name: Email:
t.me/QuadrigaInitiative /r/QuadrigaInitiative @QuadrigaInit info@quadrigainitiative.com
Sign-Ups: 100%

Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected User. For questions or enquiries, email info@quadrigainitiative.com.