link.png

ID:

daoswap-1124

Date:

Status:

Incident Count:

September 5, 2022

Verified

1

info.png
target.png
REKT

Contributor:

chain.png

web3rekt.com

KYC By:

KYC:

None

info.png

Audit By:

Audits:

Certik

Loss Amount:

581,257

info.png

Recovered:

-

Rewards:

Currency:

USD, DAO

info.png

Key Indicators

Platform:

Type:

Category:

Method:

Data Sources:

Binance Smart Chain

Assets

Token

Contract Vulnerabilities

Extended Method:

Logic error in reward calculation, and lack of verification of reward invitee

info.png

Days in Operation:

85

(0.23 Years)

chain.png
chain.png
chain.png
chain.png
datasource.png

DaoSwap was exploited for $581,257 USDT because the mining reward is larger than the fee charged in the exchange process. In addition, the lack of verification is allowing the users to set the invitee address to themselves to obtain the rewards.

The attacker obtained a flash loan and then swapped that for DAO tokens. During the exchange process, the attacker contracts to obtain Dao tokens from swaptoearn as rewards in two ways:

a. token economy: This is for users who exchange tokens.
b. Invitor reward: the attacker can arbitrarily set an "invitee" address when calling the function, which is equivalent to that the recommender can also get rewards. In this case, the attacker contracts to set the invitee address to himself.

The attacker contracts to exchange all Dao tokens back for usdt in the same way to obtain these two rewards again. Repeat the process several times to obtain rewards. The attacker contractually repaid all the borrowed funds and transferred the remaining usdt amount to the attacker.


info.png

DISCLAIMER: While web3rekt has used the best efforts in aggregating and maintaining this database, this web site makes no representations or warranties with respect to the accuracy or completeness of its information and data herein, and specifically disclaim any implied warranties of merchantability or fitness for any particular purpose. 

Under no circumstances, shall web3rekt be liable for any loss of profit or funds, any regulatory or governmental penalties, any legal costs, or any other commercial and non-commercial damages, including but not limited to special, incidental, consequential, or other damages from any or all usage of the data and information derived from this database.