On December 7, 2023, according to Beosin EagleEye, the TIME contract on Ethereum fell victim to a hacker attack, resulting in a profit of approximately $188,000 for the attacker.
This was no ordinary attack.
Upon tracing the origins, it was discovered that on December 4, 2023, thirdweb issued a vulnerability advisory on their blog and official channels stating, “On November 20, 2023, we realized that there is a security vulnerability in the integration of a common open-source library pattern for web3 smart contracts. This vulnerability affects some pre-built smart contracts of Thirdweb, and we have reached out to the relevant project teams for mitigation.”
On December 7th, the TIME contract on Ethereum became the first project to fall victim to this security issue. Today, let’s uncover the truth behind this attack.
Protocol Background Overview
ERC2771 Native Meta Transaction Security Protocol:
The EIP 2771 protocol defines a contract-level protocol for the recipient contract to accept meta transactions through a trusted relay contract. No protocol changes are made. The protocol is designed to allow Ethereum to accept calls from external accounts that do not have ETH to pay for gas fees. The protocol sends valid msg.sender (called msgSender()) and msg.data (called msgData()) to the recipient contract by appending additional calldata. The intent is to let Ethereum accept calls from external accounts without ETH to pay for gas fees.
Due to the specific design, the msg.sender, as described in the protocol, is obtained through the _msgSender() function. This function checks whether the initiator is a trusted relay and, if so, intercepts the last 20 bytes of the incoming calldata as the initiator of the transaction.
Muticall Batch Processing Library:
Muticall is a feature library provided by OpenZeppelin Contracts for processing multiple calls in a single external call.
From the Time event, we can see that the Multicall() function in its codebase iterates through DelegateCall functions to process Calldata and call other functions in this contract.
TIME Contract Event Information
● Attack Transaction
0xecdd111a60debfadc6533de30fb7f55dc5ceed01dfadd30e4a7ebdb416d2f6b6
● Attacker’s Address
0xfde0d1575ed8e06fbf36256bcdfa1f359281455a
● Attack Contract
0x6980a47bee930a4584b09ee79ebe46484fbdbdd0
● Attacked Contract
0x4b0e9a7da8bab813efae92a6651019b8bd6c0a29
TIME Contract Event Vulnerability Analysis
This attack primarily exploited a Forwarder contract that called the multicall function of the TIME token. Due to the use of the ERC2771 native meta-transaction security protocol by the TIME token, the attacker maliciously forged _msg.sender, leading to the destruction of tokens in the pair. Ultimately, the attacker profited from the token’s price increase through exchanges.
TIME Contract Event Attack Flow
1. The attacker initially used 5 WTH to exchange for approximately 3.45 billion Time tokens as preparatory funds.
2. Subsequently, the attacker called the Forwarder’s execute function through signature verification, passing in malicious calldata as follows:
3. At this point, the execute function would call the req.to address (Time token address), package req.data and req.from address, and call the multicall function of the Time token. How did the hacker discard req.from? The hacker set the length (size) of data[1] to 0x38, causing multicall to truncate req.from when parsing data.
4. The multicall function called the burn function, destroying Time tokens in the pair as the caller.
5. Finally, the attacker called the sync function in the pair to synchronize the reserves, causing the price of Time tokens to rise.
In the end, the hacker exchanged the TIME tokens obtained during the preparation phase for ETH in the pair, resulting in a profit of $188,000. This attack event once again reminds us of the critical importance of smart contract security. Project teams must strengthen vulnerability identification and remediation efforts to ensure the sustainable development of the blockchain ecosystem and the security of user.
Contact
If you need any blockchain security services, welcome to contact us:
Official Website Beosin EagleEye Twitter Telegram Linkedin