Overview:
On October 21, 2024, the VISTA Finance contract on Binance Smart Chain (BSC) was exploited due to a vulnerability in its integration of ERC20FlashMint with custom staking logic. This exploit allowed an attacker to bypass staking restrictions, resulting in loss of $29,000 USD.
Exploit Details:
Attacker Address: 0x3D71366228EBD5196D45eE72f82405da601190ad
Attacker Contract Address: 0x10036dAD92fd0459daAb57C506eA656d46BF5727
Vulnerable Contract: 0x493361D6164093936c86Dcb35Ad03b4C0D032076
Attack Transaction: mAttack Process:
Vista Finance allows users to purchase ICO tokens with BUSD and receive staked Vista tokens in return.
However, instead of transferring the staked tokens to a dedicated staking contract, the system merely records the staked amount and calculates the user’s balance by subtracting the staked tokens from their total holdings.
As long as all token transfer functions rely on the getFreeBalance function, the user’s balance is accurately calculated. However, the integration of ERC20FlashMint into the Vista token contract disrupts this balance computation.
The flashLoan function mints tokens at the start of the loan and burns them at the end. The issue lies in the _burn function, which adjusts the _balances[account] directly rather than using getFreeBalance.
As a result, even staked tokens, which are normally non-transferable, can be burned to repay the flashloan.
The attacker exploited this flaw by flashloaning 1,000,000 tokens, purchasing ICO tokens with $1,500, and then selling these tokens to address 0xf738de9913bc1e21b1a985bb0e39db75091263b7 for profit.
This sale utilized the transferFrom function, which calculates balance using getFreeBalance.
Without the flashloan-minted tokens, the attacker would not have been able to sell the staked tokens.
Finally, the flashLoan function burned 1,000,000 tokens from _balances[account] to conclude the loan.
If the flashLoan function had used getFreeBalance for this operation, the attacker would not have had sufficient free balance to execute the exploit.
The Root Cause
The root cause of the exploit lies in the flawed integration of ERC20FlashMint with the custom staking logic in the Vista token contract. Specifically, the _burn function directly subtracts from _balances[account] instead of using the getFreeBalance function, which accounts for staked tokens. This allowed the attacker to bypass staking restrictions by burning tokens that were staked, enabling them to repay the flashloan.
Flow of Funds
See the funds flow here:
How could they have prevented the Exploit?
Ensure that all functions, including _burn and any logic involving token transfers or burns, rely on getFreeBalance to account for staked tokens properly.Instead of merely recording staked balances, transfer staked tokens to a separate staking contract to prevent them from being manipulated or accessed outside the intended logic.Engage with reputable audit firms like QuiilAudits to conduct comprehensive security audits and fix potential vulnerabilities before they can be exploited.
Why QuillAudits?
Choosing a reputable audit firm like QuillAudits ensures that your protocol undergoes rigorous scrutiny from experienced security professionals. QuillAudits specializes in uncovering critical vulnerabilities and providing actionable remediation strategies. Our expertise helps safeguard your project from attacks, ensuring that security issues are addressed proactively.
Decoding Vista Finance’s $28K Exploit was originally published in Coinmonks on Medium, where people are continuing the conversation by highlighting and responding to this story.