link.png

ID:

paraluni-40

Date:

Status:

Incident Count:

March 13, 2022

Verified

1

info.png
target.png
REKT

Contributor:

chain.png

zerofriction.io

KYC By:

KYC:

No

info.png

Audit By:

Audits:

Peckshield

Loss Amount:

1,700,000

info.png

Recovered:

-

Rewards:

Currency:

USD

info.png

Key Indicators

Platform:

Type:

Category:

Method:

Data Sources:

Binance Smart Chain

Project

Metaverse

Contract Vulnerabilities

Extended Method:

Reentrancy attack

info.png

Days in Operation:

275

(0.75 Years)

chain.png
chain.png
chain.png
chain.png
datasource.png

Paraluni is a metaverse project.

According to PeckShield, the hack is made possible due to a reentrancy bug (introduced by the use of a crafted token contract) in the depositByAddLiquidity() function, which somehow doubles the credits the hacker is able to claim as one can see in the below image.

https://pbs.twimg.com/media/FNsTBxoVIAAcr-0?format=jpg&name=large
https://twitter.com/peckshield/status/1502815435498176514?s=20&t=U935aRvh_MjqeyZqMJZqpQ

The depositByAddLiquidity function calls an internal depositByAddLiquidityInternal function that transfers the attacker’s deposit into the appropriate pool. However the pool ID value (_pid) used to look up the appropriate pool is not validated internally. The attacker takes advantage of this by directing this to an attacker-controlled contract, whose malicious transferFrom function is called. This function then exploits the reentrancy vulnerability to call the Masterchef deposit function before the internal state is updated.

Approximately 230 ETH has been funneled into Tornado Cash.


info.png

DISCLAIMER: While web3rekt has used the best efforts in aggregating and maintaining this database, this web site makes no representations or warranties with respect to the accuracy or completeness of its information and data herein, and specifically disclaim any implied warranties of merchantability or fitness for any particular purpose. 

Under no circumstances, shall web3rekt be liable for any loss of profit or funds, any regulatory or governmental penalties, any legal costs, or any other commercial and non-commercial damages, including but not limited to special, incidental, consequential, or other damages from any or all usage of the data and information derived from this database.