Decoding Azuki DAO Hack

Decoding Azuki DAO Hack

Decoding Azuki DAO Hack

Decoding Azuki DAO Hack

Decoding Azuki DAO Hack

Read Time: 3 minutes

Summary

On the 30th of June, Azuki DAO suffered an exploit of it’s governance token contract. The attack was made possible by a signature replay vulnerability. And around 17,937,50 BEAN was stolen by the hackers from the exploit.

About Project

Azuki DAO was a group that was formed last week in response to the controversial launch of Azuki Elementals, an NFT project spin-off from the creators of the original Azuki NFT collection. The DAO created a governance token, $BEAN, which was distributed to NFT owners.

To learn more about the Project, check out the official website.


Vulnerability Analysis & Impact

On-Chain Details

Attacker Address: 1. 0x85D231C204B82915c909A05847CCa8557164c75e

                    2. 0x8Eadc7Cc0a77594e3fA999e80e1cCb7F4e1c04E0

Victim Contract: 0x8189AFBE7b0e81daE735EF027cd31371b3974FeB

Attack Transaction:

all transactions here 

The Root Cause

Upon analysis of BEAN token contract –

  • There is no check on whether the signature is already claimed or not in the ‘claim’ function.
  • Although variable _signature checks if the address is eligible and signatureClaimed[_signature] is set, so user cant claim again.
  • But that is never checked anywhere in the function. 

This allowed attacker to repeatedly call the claim function with the same signature across different invocations of the claim function.

Although the attack was carried through a replay attack, the inherent signature malleability of ECDSA signature scheme could also be exploited.

This is because the line 

signatureClaimed[_signature] is storing signature as a key to hash . An attacker can take one valid signature , and make another valid signature 

Attack Process

  • The attacker claimed token with the signature – 0xb0c7a8994624f4187fa28019f1ed169887d814cc72a7c6e5a9afe78a0cc825e55f7fca08df0c2dc16ce05f2a39bc15949d6bb07c5283cf9e131ae51251e719e61b
  • The same signature was used to repeatedly claim BEAN tokens until 1.79 Million Tokens were claimed 

Flow of Funds

  • The attacker 0x85d231c204b82915c909a05847cca8557164c75e  has made a profit of 34.47ETH by 

full-resolution image here

  • The attacker 0x8Eadc7Cc0a77594e3fA999e80e1cCb7F4e1c04E0 has made a profit of 0.614ETH

full-resolution image here 

Attacker’s Wallets

Complete wallet details here.


After the Exploit

Incident Timelines

June 30th, 2023, at 3:54:47 PM +UTC, the attacker claimed 6,250 BEANZ tokens. The series of transactions lasted around 3:56:23 PM +UTC.

June 30th, 2023, at 4:15 PM UTC, the attacker claimed 31,250 Bean tokens from contract. The series of transactions lasted around 4:34 PM UTC. 

July 4th, 2023 – MetaSleuth informed about the attack via Twitter.


How could they have prevented the Exploit?

The Exploit could have been prevented if a like this was placed at the start of the claim, function

require(!signatureClaimed[_signature], “Not Authorized”);

A simple solution would be to modify the “claimed” mapping to be based on the user’s address instead of using the signature as the key. This way, each user would only be able to receive tokens once.


Web3 security- Need of the hour

Why QuillAudits For Web3 Security? QuillAudits is well-equipped with tools and expertise to provide cybersecurity solutions saving the loss of millions in funds.

Want more Such Security Blogs & Reports?

Connect with QuillAudits on :

Linkedin | Twitter | Website | Newsletter | Discord | Telegram

Partner with QuillAudits

2,161 Views

Blockchain for dog nose wrinkles' Ponzi makes off ~$127M🐶

Project promised up to 150% returns on investment in 100 days, raising about 166.4 billion South Korean won — or about $127 million — from 22,000 people.

Latest blogs for this week

Understanding Fuzzing and Fuzz Testing: A Vital Tool in Web3 Security

Read Time: 5 minutes When it comes to smart contracts, ensuring the robustness and security of code is paramount. Many techniques are employed to safeguard these contracts against vulnerabilities
Read More

How EigenLayer’s Restaking Enhances Security and Rewards in DeFi

Read Time: 7 minutes Decentralized finance (DeFi) relies on Ethereum staking to secure the blockchain and maintain consensus. Restaking allows liquid staking tokens to be staked with validators in
Read More

ERC 404 Standard: Everything You Need to Know

Read Time: 7 minutes Introduction Ethereum has significantly shaped the crypto world with its introduction of smart contracts and decentralized applications (DApps). This has led to innovative developments in
Read More

DNS Attacks:  Cascading Effects and Mitigation Strategies

Read Time: 8 minutes Introduction DNS security is vital for a safe online space. DNS translates domain names to IP addresses, crucial for internet functionality. DNS ensures unique name-value
Read More

EIP-4844 Explained: The Key to Ethereum’s Scalability with Protodanksharding

Read Time: 7 minutes Introduction  Ethereum, the driving force behind dApps, has struggled with scalability. High fees and slow processing have limited its potential. They have kept it from
Read More

QuillAudits Powers Supermoon at ETH Denver!

Read Time: 4 minutes Calling all the brightest minds and leaders in the crypto world! Are you ready to build, connect, and innovate at the hottest event during ETH
Read More

Decoding the Role of Artificial Intelligence in Metaverse and Web3

Read Time: 7 minutes Introduction  Experts predict a transformative shift in global software, driven by AI and ML, marking the dawn of a new era. PwC predicts AI will
Read More

Transforming Assets: Unlocking Real-World Asset Tokenization

Read Time: 7 minutes In the blockchain, real-world assets (RWAs) are digital tokens that stand for tangible and conventional financial assets, including money, raw materials, stocks, and bonds. As
Read More
Scroll to Top

Become a Quiffiliate!
Join our mission to safeguard web3

Sounds Interesting, Right? All you have to do is:

1

Refer QuillAudits to Web3 projects for audits.

2

Earn rewards as we conclude the audits.

3

Thereby help us Secure web3 ecosystem.

Total Rewards Shared Out: $200K+