Decoding Ocean BNO’s $500k Exploit

Decoding Ocean BNO’s $500k Exploit

Decoding Ocean BNO’s $500k Exploit

Decoding Ocean BNO’s $500k Exploit

Decoding Ocean BNO’s $500k Exploit

Read Time: 3 minutes

On the 18th of July 2023, Ocean BNO on the Binance Smart Chain was attacked. The attack was made possible by a smart contract vulnerability. And around $500k worth of BNO tokens was swapped to BUSD by the attacker.

About Project:

Ocean Nft is a blockchain-based NFT MarketPlace. For more information, check out their website.


Vulnerability Analysis & Impact:

On-Chain Details:

Attacker Address:   0xA6566574eDC60D7B2AdbacEdB71D5142cf2677fB

Victim Contract:  0xD138b9a58D3e5f4be1CD5eC90B66310e241C13CD

Attack Transaction: 0x33fed54de490797b99b2fc7a159e43af57e9e6bdefc2c2d052dc814cfe0096b9

The Root Cause:

  • The root cause for the exploit was an incorrect record of rewards for NFT and ERC20 tokens.
  • Withdrawing of staked NFT didn’t happen during the execution of Emergency Withdrawl, and rewardDebt was set to 0. 
  • This resulted in NFT becoming reclaimable even when the stake was cancelled 
  • The attacker was able to exploit emergencyWithdraw() function to clear the user’s reward debt to zero and make a profit for himself.

Attack Process:

  • Firstly, the attacker stakes NFTs and BNO tokens through stakedNFT() and pledge() functions. 
  • Then the attacker called emergencyWithdraw function
  • This allows him to unstake NFT while simultaneously getting the rewards.
  • The process was repeated several times to increase profit.
  • Finally, the exploiter swapped the rewards into BUSD. 

Flow of Funds:

Most of the funds were sent to this address – 0xdc109426972ae14d5b3d7e91b47d42ff1fd3c8cc

For more details, check here.

Attacker’s Wallets:

Here is a snippet of the attacker’s wallet. Check the complete details here.


After the Exploit

  • The Project has not acknowledged the attack at the time of writing this postmortem.

Incident Timelines

Jul-18-2023 12:57:13 AM +UTC) – The attack started. 

Jul-18-2023 12:57:13 AM +UTC – Exploiter swapped  his profit for $504k BUSD

Price Impact

The price of the BNO token dropped by 99% from $4.0  to $0.04 immediately following the attack. 


How could they have prevented the Exploit?

When dealing with a contract that accommodates multiple token standards, it is essential to ensure that the business logic and mathematical operations for each token are accounted for and managed independently.

 To guarantee the accuracy and functionality of the code, it is crucial to write comprehensive test cases that thoroughly cover all potential business scenarios.

Web3 security- Need of the hour

Why QuillAudits For Web3 Security? QuillAudits is well-equipped with tools and expertise to provide cybersecurity solutions, saving millions in funds.

Partner with QuillAudits :

2,776 Views

Blockchain for dog nose wrinkles' Ponzi makes off ~$127M🐶

Project promised up to 150% returns on investment in 100 days, raising about 166.4 billion South Korean won — or about $127 million — from 22,000 people.

Latest blogs for this week

Understanding Fuzzing and Fuzz Testing: A Vital Tool in Web3 Security

Read Time: 5 minutes When it comes to smart contracts, ensuring the robustness and security of code is paramount. Many techniques are employed to safeguard these contracts against vulnerabilities
Read More

How EigenLayer’s Restaking Enhances Security and Rewards in DeFi

Read Time: 7 minutes Decentralized finance (DeFi) relies on Ethereum staking to secure the blockchain and maintain consensus. Restaking allows liquid staking tokens to be staked with validators in
Read More

ERC 404 Standard: Everything You Need to Know

Read Time: 7 minutes Introduction Ethereum has significantly shaped the crypto world with its introduction of smart contracts and decentralized applications (DApps). This has led to innovative developments in
Read More

DNS Attacks:  Cascading Effects and Mitigation Strategies

Read Time: 8 minutes Introduction DNS security is vital for a safe online space. DNS translates domain names to IP addresses, crucial for internet functionality. DNS ensures unique name-value
Read More

EIP-4844 Explained: The Key to Ethereum’s Scalability with Protodanksharding

Read Time: 7 minutes Introduction  Ethereum, the driving force behind dApps, has struggled with scalability. High fees and slow processing have limited its potential. They have kept it from
Read More

QuillAudits Powers Supermoon at ETH Denver!

Read Time: 4 minutes Calling all the brightest minds and leaders in the crypto world! Are you ready to build, connect, and innovate at the hottest event during ETH
Read More

Decoding the Role of Artificial Intelligence in Metaverse and Web3

Read Time: 7 minutes Introduction  Experts predict a transformative shift in global software, driven by AI and ML, marking the dawn of a new era. PwC predicts AI will
Read More

Transforming Assets: Unlocking Real-World Asset Tokenization

Read Time: 7 minutes In the blockchain, real-world assets (RWAs) are digital tokens that stand for tangible and conventional financial assets, including money, raw materials, stocks, and bonds. As
Read More
Scroll to Top

Become a Quiffiliate!
Join our mission to safeguard web3

Sounds Interesting, Right? All you have to do is:

1

Refer QuillAudits to Web3 projects for audits.

2

Earn rewards as we conclude the audits.

3

Thereby help us Secure web3 ecosystem.

Total Rewards Shared Out: $200K+