Fairyproof’s Analysis of the Two Attacks on Crypto Burgers
Crypto Burgers, a metaverse application deployed on BSC was attacked by two different addresses on Jan 17, 2022 UTC.
Crypto Burgers, a metaverse application deployed on BSC was attacked by two different addresses on Jan 17, 2022 UTC.
Here is the basic round-up:
The first attacker’s address was 0x78A8e6C6D7cd1A4d8C40e72Acd0e355a4C62D4c6.
There were two attacking contracts associated with this attacker and they were deployed at:
0x8f7da7ea5097dc8131d364e70689c72022ae5004 and
0xC935B78cf002611BD850117f11a971b76B79cc98 respectively.
The second attacker’s address was 0x912b102e726ed1a6a8792a58c0f241de8aaa6e4a
There was one attacking contract associated with this attacker and it was deployed at:
0x199470b76112da3e1228de1956701b7ea15cdcf8.
The contract that had a vulnerability and was exploited by the two attackers was deployed at:
0xB34D4e3B01F78549895d0630e12261e8f6FDc3EC which was a token contract.
The token’s name was BURG Token. The token had a proxy contract deployed at 0xF40d33DE6737367A1cCB0cE6a056698D993A17E1
Specifically, the burn function of this token’s contract had a vulnerability such that anyone could burn the token. Here was the code section:
Basically, the function didn’t have access control and anyone could call this function to burn token.
Both attackers got their initial gases from 0x01C952174C24E1210d26961D456A77A39e1F0BB0 to launch their attacks. They burned the BURG token in the trading pair of BNB-BURG deployed at 0x02b0551B656509754285eeC81eE894338E14C5DD on Pancake to affect the validation of the k value in its trading algorithm and withdrew the BNB tokens in the trading pair.
Eventually, the first attacker exploited 600 BNBs valued at $280,000 and the second attacker exploited 946 BNBs valued at $419,000.