Poolz suffers from an arithmetic overflow attack, resulting in a loss of $665,000.

Poolz suffers from arithmetic overflow attack, losing approximately $665,000

Recently, the Poolz platform was attacked on the Ethereum, Binance Smart Chain, and Polygon networks, resulting in the theft of a large number of tokens, with a total value of approximately $665,000. The attack occurred on March 15, 2023, at 3:16 AM (UTC).

Poolz suffered an attack due to an arithmetic overflow issue, resulting in a loss of approximately 665K USD!

According to on-chain data monitoring, this attack involves multiple tokens, including MEE, ESNC, DON, ASW, KMON, POOLZ, etc. The attacker has exchanged some of the stolen tokens for BNB, but the funds have not yet been transferred.

Poolz suffered an attack due to an arithmetic overflow issue, resulting in a loss of approximately 665K USD!

The attacker exploited an arithmetic overflow vulnerability in the Poolz contract. Specifically, the issue lies in the getArraySum function within the CreateMassPools function. This function causes an overflow when calculating the token amount because the accumulated result exceeds the maximum value of the uint256 type, ultimately resulting in a return value of 1.

The attack process is as follows:

  1. The attacker first exchanged some MNZ tokens through a certain DEX.

  2. Subsequently, call the CreateMassPools function, exploiting the vulnerability of the getArraySum function. The _StartAmount array provided by the attacker contains extremely large values, resulting in an overflow during the addition.

  3. Since the CreatePool function uses _StartAmount to record pool attributes, the attacker actually only transfers 1 token, but the system records it as a huge value.

  4. Finally, the attacker calls the withdraw function to extract the tokens, completing the attack.

Poolz suffered an attack due to an arithmetic overflow issue, resulting in a loss of approximately 665K USD!

To prevent such issues from occurring again, it is recommended that developers use a newer version of Solidity for compilation, as the new version will automatically perform overflow checks. For projects using older versions of Solidity, it may be worth considering the use of OpenZeppelin's SafeMath library to address integer overflow issues.

This incident reminds us once again that we must be particularly cautious when handling mathematical operations in smart contract development, especially when it involves large numerical calculations. At the same time, regular code audits and security checks are also important measures to ensure project safety.

Poolz suffered an attack due to an arithmetic overflow issue, resulting in a loss of approximately $665K!

View Original
This page may contain third-party content, which is provided for information purposes only (not representations/warranties) and should not be considered as an endorsement of its views by Gate, nor as financial or professional advice. See Disclaimer for details.
  • Reward
  • 5
  • Repost
  • Share
Comment
0/400
ValidatorVibesvip
· 22h ago
smh... another overflow attack. protocol audits r literally governance 101 frfr
Reply0
MetaverseVagrantvip
· 22h ago
It's really dark again, even 660,000 has the nerve to call it a hacker.
View OriginalReply0
IntrovertMetaversevip
· 22h ago
Why is the contract so weak?
View OriginalReply0
OnChainSleuthvip
· 22h ago
Another showdown, right?
View OriginalReply0
SurvivorshipBiasvip
· 23h ago
A small attack is surprisingly violent.
View OriginalReply0
Trade Crypto Anywhere Anytime
qrCode
Scan to download Gate app
Community
English
  • 简体中文
  • English
  • Tiếng Việt
  • 繁體中文
  • Español
  • Русский
  • Français (Afrique)
  • Português (Portugal)
  • Bahasa Indonesia
  • 日本語
  • بالعربية
  • Українська
  • Português (Brasil)