The world of decentralized finance (DeFi) is extremely attractive, but it’s extremely risky. Earlier this month, a complex exploit siphoned off over $1 million in Mobius Token on the BNB Chain. This attack caused a crippling $2.1 million loss. MetaBlock X is back to break down the incident in depth. We’re going to dive into what transpired, how it all went down, and what developers and investors can learn to strengthen security and avoid similar attacks going forward.

The Anatomy of the Mobius Token Exploit

The Mobius Token exploit wasn’t just a smash-and-grab. The attack was truly multi-faceted. The attack specifically looked for vulnerabilities in the smart contract code and exploited weaknesses in token minting mechanisms. Reconstruction of the attack’s progression is key for preventing future incidents.

Identifying the Vulnerabilities

The security firm Cyvers Alerts was among the first to detect abnormal transaction patterns and identify critical vulnerabilities within the Mobius Token contract code. Each of these CVEs was the initial attack vector. The attacker took advantage of a loophole in the MBU minting process. As a result, reports suggest the attacker was able to mint an unfathomable 9.73 quadrillion MBU tokens using just 0.001 BNB during one execution. This is a critical reminder of the need for strong input validation and access control in smart contracts. The attacker used a malicious smart contract, premeditatedly designed to exploit the Mobius Token smart contracts. Through the execution of this malicious contract, the attacker was able to siphon away funds from the victim’s wallet. It amplifies the dangerous precedent posed by improper contract communications.

The Attack Vector: A Technical Breakdown

The attack’s methods were sophisticated and showed an expert knowledge of blockchain technology.

  • Malicious Contract Deployment: The attacker deployed a malicious contract named Hack and another contract called MoneyMaker. The MoneyMaker contract was designed to call the Hack contract instead of the legitimate Vault contract.

  • Authorization: A critical element of the exploit was the victim's prior authorization of a specific contract address (0x3880285800a89AB3C4338bf455acdA3da6f8fA24) over two years ago. This highlights the risks associated with long-standing authorizations and the importance of regularly reviewing and revoking unnecessary permissions.

  • Transaction Flow: The victim initiated a transaction by calling the MoneyMaker.makeMoney function, anticipating that it would interact with the Vault.transfer function and effectively double their Ether. However, the MoneyMaker contract was rigged to call the Hack.transfer function instead, triggering an event that indicated the attacker had seized the Ether.

  • Malicious Contract Code: The MoneyMaker contract's constructor accepted a Vault contract address as an argument. The makeMoney function then called the transfer function on the provided Vault contract address. The attacker exploited this by deploying the Hack contract and providing its address as the Vault contract address during the deployment of the MoneyMaker contract.

  • Exploit: The Hack contract contained a transfer function that called the withrow function, ultimately transferring the Ether to the attacker's address. This demonstrates how a carefully crafted malicious contract can intercept and redirect funds intended for a legitimate purpose.

Lessons Learned: Fortifying DeFi Security

The Mobius Token exploit raises an important concern. It serves as a wakeup call to the community of how critical better security tools are needed in the DeFi ecosystem. Both developers and investors must take proactive steps to mitigate risks and protect their assets.

For Developers: Building More Secure Smart Contracts

We believe developers have a key responsibility in developing a safer DeFi ecosystem. Here are some key recommendations:

  • Use Solidity compiler version 0.8.0 or higher: This version introduces automatic checks for overflows and underflows, which can prevent a range of exploits.

  • Implement slippage restrictions: Slippage restrictions between 0.1% and 5% can prevent front-runners from exploiting higher slippage rates, depending on network fees and swap size.

  • Restrict external contracts: Limiting external contract interactions minimizes the risk of introducing vulnerabilities from third-party code.

  • Use secure coding practices: Developers should adhere to best practices for secure coding to prevent common vulnerabilities such as:

    • Reentrancy attacks
    • Integer overflow and underflow
    • Timestamp dependence
    • Access control vulnerabilities
    • Front-running attacks
    • Denial of Service (DoS) attacks
    • Logic errors
    • Insecure randomness
    • Gas limit vulnerabilities
    • Unchecked external calls

For Investors: Protecting Your Assets

Investors may need to start taking some accountability for the protection of their investments in the DeFi sphere. Here are some steps you can take:

  • Do Your Research (DYOR): Before investing in any DeFi project, thoroughly research the team, technology, and security audits.
  • Diversify Your Portfolio: Don't put all your eggs in one basket. Diversifying your portfolio across multiple projects can reduce your overall risk.
  • Use Hardware Wallets: Store your cryptocurrency on a hardware wallet for enhanced security.
  • Revoke Unnecessary Permissions: Regularly review and revoke permissions granted to smart contracts to minimize the risk of unauthorized access to your funds.
  • Stay Informed: Keep up-to-date with the latest security threats and best practices in the DeFi space.

Additional High-Profile BNB Chain Exploits

The Mobius Token exploit is not an isolated case. The BNB Chain has over the last year or so been targeted by many other equally sophisticated attacks, underlining a continuation of issues securing this ecosystem.

Binance Bridge Exploit

In October 2022, a $570 million exploit rocked the Binance Bridge (BSC Token Hub). This attack was used to steal over $566 million from them. The attacker immediately converted to a relayer for the Binance Bridge (BSC Token Hub). They then leveraged a verification proof vulnerability to mint two million BNB. The attack exploited a code bug to transfer 1 million BNB twice (approximately $566 million), first from the Beacon Chain to the Binance Smart Chain and then to other chains via cross-chain bridges. As confirmed by twitter user @FrankResearcher, the attacker(s) found a way to create false proof for block 110217401. This particular block was cleared two years back. The exploiter(s) had immediately converted all of their assets into USDT and USDC. In response, Tether and Circle immediately froze those assets on all the chains affected.

The Mobius Token hack and the Binance Bridge exploit indicate a larger issue. We need to be wary and need to keep moving the ball down the field in DeFi security. Future developers and investors alike should be the wiser from these unfortunate occurrences. Through the adoption of security best practices, they can collaborate to build a safer, more resilient DeFi ecosystem. At MetaBlock X we’re focused on giving you the information and resources you need to make smart decisions. Armed with these resources, you’ll be exploring the crypto frontier safely and confidently.