The Attack Analysis on Ploutoz Finance by Fairyproof
Ploutoz Finance, a decentralized lending application deployed on BSC was exploited on Nov. 23, 2021, 09:24:07 AM UTC. The attacker…
Ploutoz Finance, a decentralized lending application deployed on BSC was exploited on Nov. 23, 2021, 09:24:07 AM UTC. The attacker exploited the application’s virtual assets with a total value of 365,000 USDs.
Noticeably, the oracle that was used to retrieve the price of the DOP token was exploited in this attack.
The attacker manipulated the price of the DOP token, used it as collateral to borrow crypto assets including CAKE, ETH, BTCB, etc, then used both ParaSwap and PancakeSwap to exchange them to BNBs and cash out the BNBs via Tornado Cash.
It is worth noting that the gas that was used to initiate this attack was sourced from Tornado Cash as well.
Below is the basic information about this attack:
The attacker’s address: 0x2f618493b9ff77d61426e4dbf3b844666a6b315e
The attacking contract’s address: 0xcd8206410b55e278a9538071a69ef9e185856d24
The attacked contract’s address: 0xa41bf81be90fe9666cd566a80c85871f41529aed
The attacked contract’s name: PancakeOracle
The code section that had the vulnerability:
In the above code section, the PancakeOracle.latestAnswer() function was called to retrieve data from the PancakePair contract and calculate the token’s price. This calculated price was an instant price which was later on manipulated.
Prior to calling the latestAnswer() function, the attacker initiated a swap transaction to update the data in the PancakePair contract, then successfully obtained a preferred price by calling the latestAnswer() function and eventually exploited the application.
To fix this bug, Fairyproof hereby suggests that users use Chainlink or PancakeSwap’s TWAP oracle as its price feed.