According to the MetaTrust Alert tweet, the project Earning.Farm deployed on Ethereum has been attacked. As of now, the loss from the attack amounts to approximately 288 $ETH, worth $536,000. All tokens have been moved to a new wallet (0xee4b3d).
The root cause of this vulnerability lies in the "withdraw" function of the "EFVault" contract, which has a logic issue. This function allows users to burn their "ENF_ETHLEV" balance only if it is less than the expected amount.
Attack Steps
1/ The attacker obtained 10,000 ETH from flash loans, deposited 80 ETH into the "ENF_ETHLEV" contract, and received 295e18 shares.
2/ The attacker extracted 295e18 shares from the "ENF_ETHLEV" contract by calling the "withdraw" function. Then, the "withdraw" function triggered the "withdraw" function of the external contract "controller," invoking the fallback function of the attacker's contract.
3/ In the fallback function, the attacker transferred (295e18 - 1000) "ENF_ETHEV" tokens to a new wallet, 0xfd29f2. As a result, the attacker only burned 1000 "ENF-ETHEV" tokens.
4/ The attacker converted the "ENF_ETHEV" tokens in wallet 0xfd29f2 into ETH, repaid the flash loan, and made a profit.
One of the attack transactions: https://etherscan.io/tx/0x878d8986ed05ab32cc01e05663d27ea471576d2baff1081b15ed5fb550f9d81b
Reference tweet: https://twitter.com/MetaTrustAlert/status/1689196222048030721?s=20
Follow Us
Twitter: @MetaTrustLabs
Website: metatrust.io
