QI Quadriga Initiative

Dec 2024 - GAGAW Contract Flawed Token Transfer Logic Exploited - $70k (Global)

GAGAW is a token launched on the Binance smart chain.

"The primary issue lies in the flawed accounting logic within the token's transfer function.

When a transfer is mistakenly identified as a removeLiquidity action, the recipient’s balance is increased by the balance of the 0xdead address.

This allowed the attacker to repeatedly simulate removeLiquidity transfers, accumulating a significant amount of tokens effortlessly.

It's unclear what the true intent behind this logic is—perhaps a simple typo or even a deliberate backdoor?

Additionally, the decision logic for removeLiquidity and addLiquidity can be manipulated through token transfers.

Despite restrictions on buying and selling, the attacker bypassed these limitations by simulating addLiquidity transfers, ultimately securing profit.

Interestingly, the attacker deposited the profits into a pre-created Uniswap pair."

"Our system has detected a suspicious attack involving #GAGAW on #BSC, resulting in an approximately loss of $69.7K."

Further Analysis

The GAGAW token was launched in a new smart contract on the Binance smart chain on November 23rd. Unfortunately, there was a vulnerability in the token transfer logic, which was later exploited on December 2nd. This resulted in a loss of roughly $70k. It's unclear where the GAGAW community resides, or what their response has been.

How Could This Have Been Prevented?

More Cryptocurrency Exchange Hacks/Scams/Frauds

RunWay (BYC) Burn Function Lacks Access Control > > < < BasedBrett Solana Brett Token Rug Pulls Via Twitter/X

Sources/Further Reading

BNB Smart Chain Transaction Hash (Txhash) Details | BscScan (Dec 31)
GAGAW/USDT Real-time On-chain PancakeSwap v2 (BSC) DEX Data (Dec 31)
https://apespace.io/bsc/0x3ee9934da662ccf3cbb087cf096ef9e28ecbe017 (Dec 31)
@TenArmorAlert Twitter (Dec 31)
@0xCommitAudits Twitter (Dec 31)
@0xNickLFranklin Twitter (Dec 31)
GAGAW token exploit. – Defi hack analysis (Dec 31)
GAGAW exploiter | Address 0x86c5e027ffd8868278e1e113f65571055a10951c | BscScan (Dec 31)
BNB Smart Chain Transaction Hash (Txhash) Details | BscScan (Dec 31)
@TenArmorAlert Twitter (Dec 31)

Join Us!

 Name: Email:
t.me/QuadrigaInitiative /r/QuadrigaInitiative @QuadrigaInit info@quadrigainitiative.com
Sign-Ups: 100%

Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected User. For questions or enquiries, email info@quadrigainitiative.com.