BSC Flash Loan Attack: The Three Copycats

A series of attacks compromised several Binance Smart Chain (BSC) projects in May. Following PancakeBunny, its three forks projects — AutoShark, Merlin Labs, and PancakeHunny — were also attacked using similar techniques. PancakeBunny suffered the most costly attack of the four, which saw nearly $45M in total damages. In this article, Dr. Chiachih Wu, Head of the Amber Group Blockchain Security Team, elaborates on the details behind the attacks on the three copycats.

Copycats

AutoShark was attacked five days after PancakeBunny, followed by Merlin Labs and PancakeHunny, respectively. The following is an analysis of the problems and possible attack techniques for these three forked projects.

In the SharkMinter.mintFor() function, the amount of rewarding SHARK tokens to be minted (i.e., mintShark) is derived from sharkBNBAmount computed by tokenToSharkBNB() in line 1494. However, tokenToSharkBNB() references the current balance of flip, which makes it a vulnerable point. One could assume that the amount of tokens received in line 1492 is equal to the amount of the flip balance. Still, a bad actor could manipulate the flip balance simply by sending in some flip tokens right before the getReward() call and indirectly breaking the logic of tokenToSharkBNB().

In the underlying implementation of tokenToSharkBNB() , there’s another attack surface. As shown in the above code snippet, _flipToSharkBNBFlip() removes liquidity from ApeSwap (line 1243) or PantherSwap (line 1262) and converts the LP tokens into SHARK+WBNB. Later on, the generateFlipToken() is invoked to convert SHARK+WBNB into SHARK-BNB LP tokens.

Inside generateFlipToken() , the current SHARK and WBNB balances of SharkMinter (amountADesired, amountBDesired) are used to generated LP tokens and the amount of LP tokens are returned to mintFor() as sharkBNBAmount. Based on that, the bad actor could transfer SHARK+WBNB into SharkMinter to manipulate the amount of SHARK tokens to be minted as well.

The loophole in PancakeHunny is identical to that found in AutoShark, in that the bad actor can manipulate HUNNY reward minting with HUNNY and WBNB tokens.

Compared to AutoShark and PancakeHunny, Merlin Labs’ _getReward() has a more obvious vulnerability.

The code snippet above shows that the performanceFee could be manipulated by the balance of CAKE, which indirectly affects the MERL rewards minting. However, the nonContract modifier gets rid of flash loans.

Even without an exploit contract, the bad actor could still profit through multiple calls.

Reproducing AutoShark Attack

To reproduce the AutoShark hack, we need to first get some SHARK-BNB-LP tokens from PantherSwap. Specifically, we swap 0.5 WBNB into SHARK (line 58) and transfer the rest WBNB with those SHARK tokens into PantherSwap for minting SHARK-BNB-LP tokens (line 64). Later on, we deposit those LP tokens into AutoShark’s StrategyCompoundFLIP contract (line 69) to qualify for rewards. Note that we purposely only deposit half of the LP tokens in line 69.

The second step is to make getReward() go into the SharkMinter contract. In the above code snippet, we know that the reward can be retrieved by the earned() function (line 1658). Besides, 30% of the reward (i.e., performanceFee) should be greater than 1,000 (i.e., DUST) to trigger the SharkMinter.mintFor() in line 1668.

Therefore, in our exploit code, we transfer some LP tokens to the StrategyCompoundFLIP contract in line 76 to bypass the performanceFee > DUST check and trigger the mintFor() call. Since we need a lot of WBNB+SHARK to manipulate SharkMinter, we leverage PantherSwap’s 100k WBNB via a flash-swap call in line 81.

In the flash-swap callback, pancakeCall(), we exchange half of the WBNB into SHARK and send the SHARK with the remaining 50,000 WBNB to the SharkMinter contract to manipulate the reward minting.

The next step is to trigger getReward() when the SharkMinter receives the WBNB+SHARK tokens to mint a large amount of SHARK to the caller.

The last step is to convert SHARK to WBNB, pay the flash loan, and walk away with the remaining WBNB tokens.

In our experiment, the bad actor starts with 1 WBNB. With the help of flash loans, he profits from more than 1,000 WBNB being returned in one transaction.

Reproducing PancakeHunny Attack

The theory behind the PancakeHunny attack is similar to the AutoShark attack. In brief, we need to send a lot of HUNNY+WBNB to HunnyMinter before triggering getReward(). However, the HUNNY token contract has a protection mechanism called antiWhale to prevent large amount transfers. Therefore, flash loans do not work here.

To bypass antiWhale, we create multiple child contracts and initiate multiple CakeFlipVault.deposit() calls via said contracts.

In the above exploit code snippet, the LP tokens gathered in line 116 are divided into 10 parts and transferred to 10 Lib contracts in line 122 followed by Lib.prepare() calls for each of them.

Inside Lib.prepare(), we approve() the CakeFlipVault to spend the LP tokens and invoke CakeFlipVault.deposit() to enable the later getReward() calls for minting rewarding HUNNY tokens.

After preparing 10 Lib contracts, the main contract iterates each of them to: 1) swap WBNB to the maximum allowable amount of HUNNY; 2) transfer WBNB+HUNNY to HunnyMinter; 3) trigger getReward() via lib.trigger(); and 4) swap HUNNY back to WBNB.

In the end, the bad actor with 10 WBNB earns around 200 WBNB from 10 runs of 10 Lib contracts operations.

Reproducing Merlin Labs Attack

As mentioned earlier, Merlin Labs has the noContract modifier to get rid of flash loan attacks. However, we could use a script to trigger the attack with multiple transactions initiated from an EOA (Externally Owned Account) address. The only difference is that someone may front-run the bad actor’s transaction to steal the profits.

Similar to the AutoShark attack, we need to prepare enough LINK and WBNB (line 23), use them to mint WBNB-LINK-LP tokens (line 34), and deposit LP tokens into VaultFlipCake contract (line 38).

The remaining actions are:

  1. Swapping WBNB to CAKE (line 42).
  2. Manipulating MERL minting by sending CAKE to VaultFlipToCake contract (line 50).
  3. Triggering getReward() in line 55 (a large amount of MERL tokens are minted).
  4. Swapping MERL back to WBNB and repeating the above steps multiple times.

As mentioned earlier, if someone front runs step 3 right after step 2, that person could remove a large amount of MERL.

In our experiment, the bad actor starts with 10 WBNB and walks away with around 165 WBNB by repeating the four steps 10 times.

About Amber Group

Amber Group is a leading global crypto finance service provider operating around the world and around the clock with a presence in Hong Kong, Taipei, Seoul, and Vancouver. Founded in 2017, Amber Group services over 500 institutional clients and has cumulatively traded over $500 billion across 100+ electronic exchanges, with over $1.5 billion in assets under management. In 2021, Amber Group raised $100 million in Series B funding and became the latest FinTech unicorn valued at over $1 billion. For more information, please visit www.ambergroup.io.

DOOR Launches First Decentralized Ad Network in a Big Way

DOOR rewards over $500,000 in DOOR Coin to launch an app that connects Consumers directly with Advertisers and disrupt a 500B online ad market.

DOOR has launched its decentralized app that connects consumers who are looking for specific products and services directly with Advertisers.  Built using cryptocurrency, DOOR rewards consumers for opting into the program by paying them in DOOR Coin. DOOR Coin is currently available on the Uniswap Decentralized Exchange.

Since DOOR launched on July 4th, over $500,000 (700,000 DOOR Coin) of rewards have been paid to consumers who have joined the platform.  The mission of DOOR is to bypass the middlemen of Big Ad Tech companies like Zillow, Home advisor, Facebook and others and allow businesses to pay consumers directly for the use of their data leveraging the Blockchain.

“We imagined a world where we remove the middleman that makes billions of dollars off consumer data and sells it to the highest bidder.  With DOOR, consumers are paid for their data and businesses can connect directly with opt-in verified leads.”, states David Daly, co-founder of DOOR.

DOOR leverages blockchain technology and the Ethereum Network to build the first decentralized Ad Network. DOOR can be found on CoinMarketcap.com under the name DOOR. The details of the Ethereum Contract can be viewed on Etherscan.io.

“Today, many centralized ad networks have become monopolies that provide free products to consumers in exchange for harvesting and productizing consumer data and selling it to businesses. The common saying is ‘if the product is free, you are the product’. “ claims

DOOR currently rewards any home owner in the United States if they register their property on MyDoorWallet.com and opts into the platform. Currently, the advertisers on the platform include home service providers and products.

“Our goal is to change how consumers and businesses connect on the Internet.  We believe there is no reason consumers need to go thru a centralized ad network or website that forces them to constantly share their data with no benefit. With DOOR they are not only rewarded, they are in control.  The Internet was meant to be decentralized and we want to fix what is broken.” concludes David Daly.

ABOUT DOOR

DOOR rewards consumers every time advertisers access their data. Door removes the middleman and enables a direct connection between consumers and businesses through their decentralized ad network built using Blockchain technology.

DOOR Coin is currently trading at $0.75 and is up 3,650% since its launch on July 4, 2021. To learn more, visit the official website.

 

Image by StockSnap from Pixabay

IRS Modifies Crypto Question on Tax Form — Now Focusing on Taxable Cryptocurrency Transactions

IRS Modifies Crypto Question on Tax Form — Now Focusing on Taxable Cryptocurrency Transactions

The U.S. Internal Revenue Service (IRS) has modified the crypto question asked on the main U.S. tax form. Reducing the scope of the question, the IRS now focuses on taxable cryptocurrency transactions.

New Crypto Question on Tax Form 1040

The IRS published a draft Form 1040 for the tax year 2021 Thursday. Form 1040 is the main tax form used for filing individual income tax returns in the U.S. The draft form shows that the tax agency has modified the crypto question slightly.

The crypto question now reads: “At any time during 2021, did you receive, sell, exchange, or otherwise dispose of any financial interest in any virtual currency?”

Previously, the question read: “At any time during 2020, did you receive, sell, send, exchange, or otherwise acquire any financial interest in any virtual currency?”

Draft IRS Form 1040 for the year 2021.

For the year 2021, the IRS has removed the word “send” and replaced “acquire” with “disposed of.”

IRS Form 1040 for the year 2020.

Shehan Chandrasekera, Head of Tax Strategy at tax software company Cointracker, explained that “The revised question only inquires about your taxable transactions compared to the much broader scope of the 2020 version.”

He opined, “Although these changes have no big impact on your taxes, it hints at what the IRS has learned from the 2020 version and the direction it’s heading,” elaborating:

Under the revised question, you don’t have to check ‘Yes’ if you send cryptocurrency in between wallets/exchanges or acquire them, which are both non-taxable transactions.

What do you think about the new crypto question on the tax form? Let us know in the comments section below.

Image Credits: Shutterstock, Pixabay, Wiki Commons

Disclaimer: This article is for informational purposes only. It is not a direct offer or solicitation of an offer to buy or sell, or a recommendation or endorsement of any products, services, or companies. Bitcoin.com does not provide investment, tax, legal, or accounting advice. Neither the company nor the author is responsible, directly or indirectly, for any damage or loss caused or alleged to be caused by or in connection with the use of or reliance on any content, goods or services mentioned in this article.

Bitcoin price hits $34K as trader forecasts fresh weekend resistance showdown

What can I do to prevent this in the future?

If you are on a personal connection, like at home, you can run an anti-virus scan on your device to make sure it is not infected with malware.

If you are at an office or shared network, you can ask the network administrator to run a scan across the network looking for misconfigured or infected devices.

Amazon’s Payment Team Hiring Digital Currency Expert to Develop Cryptocurrency Strategy and Products

Amazon’s Payment Team Hiring Digital Currency Expert to Develop Cryptocurrency Strategy and Products

Amazon’s Payments Acceptance & Experience team is hiring a digital currency and blockchain expert to develop the company’s digital currency and blockchain strategy and product roadmap, including a launch strategy. “We’re inspired by the innovation happening in the cryptocurrency space and are exploring what this could look like on Amazon,” the company’s spokesperson said.

Amazon Developing Crypto Strategy

Amazon has posted a job opening for a “Digital Currency and Blockchain Product Lead.” The job posting explains that “The Amazon Payment Acceptance & Experience Team is responsible for how Amazon’s customers pay on Amazon’s sites and through Amazon’s services around the globe,” elaborating:

The Payments Acceptance & Experience team is seeking an experienced product leader to develop Amazon’s digital currency and blockchain strategy and product roadmap.

The company further described: “You will leverage your domain expertise in blockchain, distributed ledger, central bank digital currencies and cryptocurrency to develop the case for the capabilities which should be developed, drive overall vision and product strategy, and gain leadership buy-in and investment for new capabilities.”

Among the basic qualifications required for the role is a “Deep understanding of the digital / cryptocurrency ecosystem and related technologies.”

The posting adds: “You will work closely with teams across Amazon including AWS to develop the roadmap including the customer experience, technical strategy and capabilities as well as the launch strategy.”

Confirming the job posting to CNBC, an Amazon spokesperson said in a statement:

We’re inspired by the innovation happening in the cryptocurrency space and are exploring what this could look like on Amazon.

“We believe the future will be built on new technologies that enable modern, fast, and inexpensive payments, and hope to bring that future to Amazon customers as soon as possible,” the spokesperson noted.

Amazon Web Services currently offers a service called managed blockchain but Amazon does not currently accept bitcoin or other cryptocurrencies as payment for its products.

Do you think Amazon will soon accept crypto payments? Let us know in the comments section below.

Image Credits: Shutterstock, Pixabay, Wiki Commons

Disclaimer: This article is for informational purposes only. It is not a direct offer or solicitation of an offer to buy or sell, or a recommendation or endorsement of any products, services, or companies. Bitcoin.com does not provide investment, tax, legal, or accounting advice. Neither the company nor the author is responsible, directly or indirectly, for any damage or loss caused or alleged to be caused by or in connection with the use of or reliance on any content, goods or services mentioned in this article.

The future of art? World-famous artists delve into NFTs

What can I do to prevent this in the future?

If you are on a personal connection, like at home, you can run an anti-virus scan on your device to make sure it is not infected with malware.

If you are at an office or shared network, you can ask the network administrator to run a scan across the network looking for misconfigured or infected devices.

After Barclays and Santander, UK Bank Natwest Blocks Payments to Binance

After Barclays and Santander, UK Bank Natwest Blocks Payments to Binance

A major high street bank in the U.K., Natwest, has blocked payments to crypto exchange Binance. Natwest’s decision came after two other major British banks — Barclays and Santander — made a similar move to block fund transfers to Binance. The banks acted in response to a warning on the cryptocurrency exchange by the U.K.’s Financial Conduct Authority (FCA).

Natwest Blocking Fund Transfers to Binance

British bank Natwest (NWG.L) has reportedly become the latest financial institution in the U.K. to block payments to cryptocurrency exchange Binance. According to its 2020 annual report, Natwest Group is the largest business and commercial bank in the U.K., with 19 million customers across the U.K. and Ireland.

A Natwest spokesperson explained that the bank has seen a high level of cryptocurrency investment scams targeting customers across retail and business banking, particularly through social media websites.

“To protect our customers from the criminals exploiting these platforms, we’re temporarily reducing the maximum daily amount that a customer can send to cryptocurrency exchanges as well as blocking payments to a small number of cryptocurrency asset firms where we have seen particularly significant levels of fraud-related harm for our customers,” the spokesperson said, adding:

Our customers will still be able to accept cryptocurrencies as forms of payment.

The U.K.’s Financial Conduct Authority (FCA) issued a warning about Binance on June 26 stating that the crypto exchange was not permitted to engage in regulated activities.

Following the FCA’s warning, Barclays stopped clients from sending funds to Binance. Santander Bank followed suit and blocked payments to the crypto exchange.

Binance has suspended GBP withdrawals and EUR deposits via SEPA bank transfers and service providers Faster Payments and Clear Junction have stopped processing payments for the crypto exchange. Meanwhile, Visa and Mastercard said they are monitoring Binance’s regulatory compliance and have not cut ties with the company.

Besides the FCA, a growing list of regulators have issued warnings against Binance, including regulators in Hong Kong, Lithuania, Italy, Thailand, Cayman Islands, and Japan.

What do you think about banks blocking payments to Binance? Let us know in the comments section below.

Tags in this story
Barclays

,

Binance

,

binance uk

,

block binance

,

FCA

,

fca binance

,

NatWest

,

Natwest Bank

,

natwest binance

,

payments to binance

,

Santander Bank

,

UK Bank

Image Credits: Shutterstock, Pixabay, Wiki Commons

Disclaimer: This article is for informational purposes only. It is not a direct offer or solicitation of an offer to buy or sell, or a recommendation or endorsement of any products, services, or companies. Bitcoin.com does not provide investment, tax, legal, or accounting advice. Neither the company nor the author is responsible, directly or indirectly, for any damage or loss caused or alleged to be caused by or in connection with the use of or reliance on any content, goods or services mentioned in this article.

DeFi industry draws in commercial banks? Siam bets with $110M fund

What can I do to prevent this in the future?

If you are on a personal connection, like at home, you can run an anti-virus scan on your device to make sure it is not infected with malware.

If you are at an office or shared network, you can ask the network administrator to run a scan across the network looking for misconfigured or infected devices.

New York Town Bemoans Roadside ‘Littered’ With Bitcoin Miners — Officials Plan to Impose 90-Day Moratorium

New York Town Bemoans Roadside ‘Littered’ With Bitcoin Miners — Officials Plan to Impose 90-Day Moratorium

A St. Lawrence county town located in New York near the Canadian border, Massena, is another region in the state that is having issues with bitcoin miners. According to recent reports from the local WWNY-TV news desk and Reuters, the Massena town supervisor is drafting new regulations for bitcoin mining operations.

Officials From Town of Massena Don’t Like the Look of Bitcoin Miners Operating Alongside Route 42

The town of Massena, with a population of around 13K, has attracted bitcoin miners according to a report from Reuters. The New York town’s officials have taken issue with bitcoin miners and the authorities plan to impose a 90-day moratorium on any new bitcoin miners looking to tap into the town’s energy sources.

According to Massena Town Supervisor Steve O’Shaughnessy, the town doesn’t want Massena’s roadsides to be filled with shipping containers that house mining rigs.

“We don’t want it littered with these trailers that are pumping out bitcoin,” O’Shaughnessy told WWNY-TV. “We just want to make sure if they’re going to come here, that it’s a nice presentable building,” he added.

New York Town Bemoans Roadsides ‘Littered’ With Bitcoin Miners — Officials Plan to Impose 90-Day Moratorium
Photograph of the alleged mining operations via the regional news station WWNY-TV.

The report notes that there’s been a surge of cryptocurrency miners setting up shop in Massena. The electrical company Massena Electric is currently in the midst of negotiations with three prospective operations.

“The key components for the developers is low-cost electricity and reliability, which are two things we’ve always had,” Andrew McMahon, Massena Electric’s superintendent said. Reports say Route 42 in Massena near Fort Covington has numerous mobile bitcoin mining units that are housed in shipping containers.

Massena Electric told WWNY-TV that the deals with bitcoin miners always come second to current customers but “customers could even benefit from the increased sales.”

New York Continues to Have Tussles With the Bitcoin Mining Industry, Route 42 Mining Facility Advertised for Sale

The crypto mining operation Petawatt Group is located in Massena, as the firm was able to purchase 140 acres of land two years ago. Petawatt Group and its co-founder Jason Rappaport say bitcoin mining operations can potentially bring jobs to Massena locals.

“We’re not like some new operation that decamped from somewhere else and coming in and trying to find power, you know, relatively inexpensively, and not being part of the community,” Rappaport stressed to the local news station.

New York Town Bemoans Roadsides ‘Littered’ With Bitcoin Miners — Officials Plan to Impose 90-Day Moratorium
Interestingly, around the same time the Massena town officials started to complain, an advertisement for a cryptocurrency mining facility located on Route 42 was listed for sale. The property offers “power and location” for $299,000 and claims the owner can get energy at rates as low as $0.03 per kWh. “The facility has approved 2 MW power available underneath three-phase power lines owned by Massena Electric Department,” the ad details. “The electrical service can potentially be upgraded to 10MW and even above.”

New York and bitcoin miners have seemed to go hand-in-hand because of the state’s abundant access to cheap hydropower. However, residents and officials from a few New York communities have taken issue with bitcoin miners in a similar fashion.

For instance, residents who live alongside Seneca Lake blamed bitcoin mining for heating up the water. The lake was “so warm you feel like you’re in a hot tub,” a report by NBC News noted at the time.

Democrat senator Kevin Parker also introduced a bill that seeks to establish a three-year moratorium on any bitcoin mining operations in the state. The Committee on Environmental Conservation reviewed the bill on May 3.

The bill declared that cryptocurrency miners should be responsible for the environmental impacts the industry might cause the state. Senator Parker insists cryptocurrency mining has a negative environmental impact and mining businesses would have to pass state greenhouse gas emission targets in order to continue.

What do you think about the issues bitcoin miners are having in Massena, New York? Let us know what you think about this subject in the comments section below.

Tags in this story
aesthetics

,

Andrew McMahon

,

Bitcoin mining

,

BTC Mining

,

Complaints

,

crypto mining

,

Fort Covington

,

Jason Rappaport

,

Massena

,

Massena Electric

,

new york

,

New York bitcoin miners

,

NY Bill

,

Petawatt Group

,

Route 42

,

senator Kevin Parker

,

Seneca Lake

,

Steve O’Shaughnessy

Image Credits: Shutterstock, Pixabay, Wiki Commons, WWNY-TV, point2homes.com,

Disclaimer: This article is for informational purposes only. It is not a direct offer or solicitation of an offer to buy or sell, or a recommendation or endorsement of any products, services, or companies. Bitcoin.com does not provide investment, tax, legal, or accounting advice. Neither the company nor the author is responsible, directly or indirectly, for any damage or loss caused or alleged to be caused by or in connection with the use of or reliance on any content, goods or services mentioned in this article.