On October 21, 2024, the VISTA Finance<\/a> contract on Binance Smart Chain (BSC) was exploited due to a vulnerability in its integration of ERC20FlashMint with custom staking logic. This exploit allowed an attacker to bypass staking restrictions, resulting in loss of $29,000\u00a0USD.<\/p>\n Attacker Address: 0x3D71366228EBD5196D45eE72f82405da601190ad<\/a><\/p>\n Attacker Contract Address: 0x10036dAD92fd0459daAb57C506eA656d46BF5727<\/a><\/p>\n Vulnerable Contract: 0x493361D6164093936c86Dcb35Ad03b4C0D032076<\/a><\/p>\n Attack Transaction: mAttack\u00a0Process:<\/p>\n Vista Finance allows users to purchase ICO tokens with BUSD and receive staked Vista tokens in\u00a0return.<\/p>\n However, instead of transferring the staked tokens to a dedicated staking contract, the system merely records the staked amount and calculates the user\u2019s balance by subtracting the staked tokens from their total holdings.<\/p>\n As long as all token transfer functions rely on the getFreeBalance function, the user\u2019s balance is accurately calculated. However, the integration of ERC20FlashMint into the Vista token contract disrupts this balance computation.<\/p>\n The flashLoan function mints tokens at the start of the loan and burns them at the end. The issue lies in the _burn function, which adjusts the _balances[account] directly rather than using getFreeBalance.<\/p>\n As a result, even staked tokens, which are normally non-transferable, can be burned to repay the flashloan.<\/p>\n The attacker exploited this flaw by flashloaning 1,000,000 tokens, purchasing ICO tokens with $1,500, and then selling these tokens to address 0xf738de9913bc1e21b1a985bb0e39db75091263b7 for\u00a0profit.<\/p>\n This sale utilized the transferFrom function, which calculates balance using getFreeBalance.<\/p>\n Without the flashloan-minted tokens, the attacker would not have been able to sell the staked\u00a0tokens.<\/p>\n Finally, the flashLoan function burned 1,000,000 tokens from _balances[account] to conclude the\u00a0loan.<\/p>\n If the flashLoan function had used getFreeBalance for this operation, the attacker would not have had sufficient free balance to execute the\u00a0exploit.<\/p>\n The root cause of the exploit lies in the flawed integration of ERC20FlashMint with the custom staking logic in the Vista token contract. Specifically, the _burn function directly subtracts from _balances[account] instead of using the getFreeBalance function, which accounts for staked tokens. This allowed the attacker to bypass staking restrictions by burning tokens that were staked, enabling them to repay the flashloan.<\/p>\n See the funds flow\u00a0here<\/a>:<\/p>\n Ensure that all functions, including _burn and any logic involving token transfers or burns, rely on getFreeBalance to account for staked tokens properly.Instead of merely recording staked balances, transfer staked tokens to a separate staking contract to prevent them from being manipulated or accessed outside the intended\u00a0logic.Engage with reputable audit firms like QuiilAudits to conduct comprehensive security audits and fix potential vulnerabilities before they can be exploited.<\/p>\n Choosing a reputable audit firm like QuillAudits ensures that your protocol undergoes rigorous scrutiny<\/a> from experienced security professionals. QuillAudits specializes in uncovering critical vulnerabilities and providing actionable remediation strategies. Our expertise helps safeguard your project from attacks, ensuring that security issues are addressed proactively.<\/p>\n Decoding Vista Finance\u2019s $28K Exploit<\/a> was originally published in Coinmonks<\/a> on Medium, where people are continuing the conversation by highlighting and responding to this story.<\/p>","protected":false},"excerpt":{"rendered":" Overview: On October 21, 2024, the VISTA Finance contract on Binance Smart Chain (BSC) was exploited due to a vulnerability in its integration of ERC20FlashMint with custom staking logic. This exploit allowed an attacker to bypass staking restrictions, resulting in loss of $29,000\u00a0USD. Exploit Details: Attacker Address: 0x3D71366228EBD5196D45eE72f82405da601190ad Attacker Contract Address: 0x10036dAD92fd0459daAb57C506eA656d46BF5727 Vulnerable Contract: 0x493361D6164093936c86Dcb35Ad03b4C0D032076 […]<\/p>\n","protected":false},"author":0,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[],"class_list":["post-24315","post","type-post","status-publish","format-standard","hentry","category-interesting"],"_links":{"self":[{"href":"https:\/\/mycryptomania.com\/index.php?rest_route=\/wp\/v2\/posts\/24315"}],"collection":[{"href":"https:\/\/mycryptomania.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mycryptomania.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/mycryptomania.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=24315"}],"version-history":[{"count":0,"href":"https:\/\/mycryptomania.com\/index.php?rest_route=\/wp\/v2\/posts\/24315\/revisions"}],"wp:attachment":[{"href":"https:\/\/mycryptomania.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=24315"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mycryptomania.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=24315"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mycryptomania.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=24315"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}Exploit Details:<\/h3>\n
The Root\u00a0Cause<\/h3>\n
Flow of\u00a0Funds<\/h3>\n
How could they have prevented the\u00a0Exploit?<\/h3>\n
Why QuillAudits?<\/h3>\n