Logic error, lack of access control
Days in Operation:
100 pts each
Team Finance provides DeFi tools for token holders & businesses to buy, trade, create, and secure crypto assets with confidence. Team Finance, also operates TrustSwap (https://trustswap.com/),
Team Finance reported that $14.5M USD of tokens were exploited through the audited v2 to v3 migration function.
The project team has temporarily paused all activity until the exploit has been remedied.
All funds currently on Team Finance are not at further risk of this exploit.
According to Peckshield, the protocol has a flawed migrate() that is exploited to transfer real UniswapV2 liquidity to an attacker-controlled new V3 pair with skewed price, resulting in huge leftover as refund for profit. Also the authorized sender check is bypassed by locking any tokens.
According to BlockSec, the root cause is that the fake token can be added to the contract and then the fake token is used as a parameter to migrate for the pool [faketoken,WETH]. By doing so, the attacker can get refund during the migration process.
DISCLAIMER: While web3rekt has used the best efforts in aggregating and maintaining this database, this web site makes no representations or warranties with respect to the accuracy or completeness of its information and data herein, and specifically disclaim any implied warranties of merchantability or fitness for any particular purpose.
Under no circumstances, shall web3rekt be liable for any loss of profit or funds, any regulatory or governmental penalties, any legal costs, or any other commercial and non-commercial damages, including but not limited to special, incidental, consequential, or other damages from any or all usage of the data and information derived from this database.