Odaily Planet Daily News According to the monitoring of the SlowMist Security Team, on November 10, 2022, the brahTOPG project on the ETH chain was attacked, and the attacker made a profit of approximately US$89,879. The SlowMist Security Team shared the following in the form of a brief message: 1. The attacker first queried the balance of the victim user 0x392472, and then called the zapIn function of the Zapper contract. 2. First, the function will transfer the token specified by the requiredToken parameter to the contract. Since the parameter passed in by the function is externally controllable, the attacker maliciously constructed the parameter to make the requiredToken a fake token (that is, attack the contract itself) and transfer the fake token to the Zapper contract. 3. Then the internal function zap will be called, in which it will first check whether the balance of the fake token in the contract is greater than or equal to the passed value. Due to the operation in the second step, the check is passed. 4. Then the approve function of the fake token contract will be called externally. This function is maliciously constructed by the attacker to transfer frax tokens to the Zapper contract. This operation is to pass the check of the frax token balance in the subsequent contract and successfully deposit into the vault. 5. Finally, the contract specified by the swapTarget parameter is called externally (this parameter is externally controllable), and the parameter passed in the call is also externally constructible, so the attacker uses the arbitrary external call vulnerability here to transfer the USDC tokens of other authorized users. 6. The attacker repeated the above steps and attacked three times in total, transferring about 889,343 USDC tokens from three victim accounts. The main reason for this attack is that the Zapper contract strictly checks the data passed by the user, resulting in the problem of arbitrary external calls. The attacker used this arbitrary external call problem to steal the tokens of users who still have authorization for the contract. The SlowMist Security Team reminds users who have used this contract to quickly cancel the authorization of the contract to avoid the risk of asset theft.