Decoding TrustPad’s $155k Exploit

Decoding TrustPad’s $155k Exploit

Decoding TrustPad’s $155k Exploit

Decoding TrustPad’s $155k Exploit

Decoding TrustPad’s $155k Exploit

Read Time: 4 minutes

Summary:

On the 7th of November 2023, TrustPad was attacked. The attack was made possible due to a logical flaw in the staking contract. Around $151k worth of tokens were stolen by the attacker.

About Project:

TrustPad is a multi-chain launchpad. For more information, check out their website.


Vulnerability Analysis & Impact:

On-Chain Details:

Attacker Address:   0x1a7b15354e2f6564fcf6960c79542de251ce0dc9

Victim Contract: 0x1694d7fabf3b28f11d65deeb9f60810daa26909a

The Root Cause:

  • The root cause of the exploit was a logic flaw in TrustPad’s Staking Contract
  • The receiveUpPool() function was responsible for accepting the upPool request from another pool and moves the specified amount of tokens from the user and then re-locks, and then change the lock time period to now. Here, upPool means moving the tokens to another pool.
  • Notice how msg.sender is not verified in the above contract. This allowed attacker to continuously call receiveUpPool() and withdraw()  
  • Consequently, the attacker acquires the capability to immediately withdraw all staked funds and boost the pending reward status through the execution of the withdraw() function.
  • Following the repetition of these actions, the attacker employs the stakePendingRewards() function to move all pending rewards into the staked amount state, enabling them to withdraw these rewards as profit later using the withdraw() function.

Attack Process:

  • First, the attacker deposit TPAD token into LaunchpadLockableStaking contract with the help of receiveUpPool() function.
  • Then the attacker repeatedly call stakePendingRewards() and withdraw function to increase the impact of the attack.
  • Finally, the attacker was able to withdraw all the funds.

Flow of Funds:

Here is the fund flow during and after the exploit. You can see more details here.

Soon after the hack, the attacker started to transfer funds to Tornado Cash. See here.


After the Exploit

  • The Project acknowledged the hack via their Twitter.

Incident Timelines

Nov-06-2023 04:02:52 PM +UTC – The attacker started the attack after creating a malicious contract.

Nov-07-2023 01:56:56 AM +UTC – The attacker repeatedly called vulnerable function. This was the last transaction spotted

Nov-07-2023 12:32:42 PM +UTC – The attacker started depositing funds to Tornado Cash.

Price Impact

The price of the TPAD token dropped from $0.120  to $0.0016 immediately following the attack. It is currently trading at $0.0011 as of the time of writing this blog. See here.


How could they have prevented the Exploit?

Insufficient input validation and logical flaws have been the target of hackers for a very long time. 

It is recommended for protocols to prioritize testing and fuzzing to ensure all the edge cases have been successfully mitigated.

Web3 security- Need of the hour

In today’s digital era, Web3 security has become an indispensable aspect of the blockchain industry. QuillAudits stands at the forefront of this domain, offering top-notch cybersecurity solutions that safeguard millions in assets. Our team of experts is adept at utilizing advanced tools and techniques to ensure the highest level of security for your Web3 projects.

Partner with QuillAudits :

Interested in collaborating with QuillAudits? Explore our partnership opportunities designed to enhance Web3 security across the ecosystem:

1,323 Views

Blockchain for dog nose wrinkles' Ponzi makes off ~$127M🐶

Project promised up to 150% returns on investment in 100 days, raising about 166.4 billion South Korean won — or about $127 million — from 22,000 people.

Latest blogs for this week

Understanding Fuzzing and Fuzz Testing: A Vital Tool in Web3 Security

Read Time: 5 minutes When it comes to smart contracts, ensuring the robustness and security of code is paramount. Many techniques are employed to safeguard these contracts against vulnerabilities
Read More

How EigenLayer’s Restaking Enhances Security and Rewards in DeFi

Read Time: 7 minutes Decentralized finance (DeFi) relies on Ethereum staking to secure the blockchain and maintain consensus. Restaking allows liquid staking tokens to be staked with validators in
Read More

ERC 404 Standard: Everything You Need to Know

Read Time: 7 minutes Introduction Ethereum has significantly shaped the crypto world with its introduction of smart contracts and decentralized applications (DApps). This has led to innovative developments in
Read More

DNS Attacks:  Cascading Effects and Mitigation Strategies

Read Time: 8 minutes Introduction DNS security is vital for a safe online space. DNS translates domain names to IP addresses, crucial for internet functionality. DNS ensures unique name-value
Read More

EIP-4844 Explained: The Key to Ethereum’s Scalability with Protodanksharding

Read Time: 7 minutes Introduction  Ethereum, the driving force behind dApps, has struggled with scalability. High fees and slow processing have limited its potential. They have kept it from
Read More

QuillAudits Powers Supermoon at ETH Denver!

Read Time: 4 minutes Calling all the brightest minds and leaders in the crypto world! Are you ready to build, connect, and innovate at the hottest event during ETH
Read More

Decoding the Role of Artificial Intelligence in Metaverse and Web3

Read Time: 7 minutes Introduction  Experts predict a transformative shift in global software, driven by AI and ML, marking the dawn of a new era. PwC predicts AI will
Read More

Transforming Assets: Unlocking Real-World Asset Tokenization

Read Time: 7 minutes In the blockchain, real-world assets (RWAs) are digital tokens that stand for tangible and conventional financial assets, including money, raw materials, stocks, and bonds. As
Read More
Scroll to Top

Become a Quiffiliate!
Join our mission to safeguard web3

Sounds Interesting, Right? All you have to do is:

1

Refer QuillAudits to Web3 projects for audits.

2

Earn rewards as we conclude the audits.

3

Thereby help us Secure web3 ecosystem.

Total Rewards Shared Out: $200K+