Youtube Video

Playing the video that you've selected below in an iframe

Decoding ULME Token Flash Loan Attack

2 min read
Exploit Analysis
Ulme Token Flash Loan Attack

ULME token was attacked by a hacker using a flash loan attack resulting in 50,646 BUSD loss.

TL;DR#

On October 25, 2022, ULME Token was attacked by a hacker who allegedly gained approximately 50,646 BUSD using flash loan.

Introduction to ULME#

ULME is a token on Binance Smart Chain BNB Chain, but it has no social presence.

Vulnerability Assessment#

The underlying source of the vulnerability is due to an indirect price manipulation using flash loans resulting from an unrestricted access control.

Steps#

Step 1:

The attacker initially used flash loans to borrow 1,000,000 BUSD.

Step 2:

They then swapped the borrowed BUSD for $ULME tokens on PancakeSwap.

Step 3:

The attacker should have compiled a list of users who would approve the BUSD token to the $ULME contract.

Step 4:

The attacker called the buyMiner function of the $ULME token contract,passing in the list of users from the earlier step, and their corresponding amount.

Step 5:

In the underlying function, the attacker can manipulate the BUSD tokens previously approved to the users.

Step 6:

The attacker can additionally manipulate the BUSD of a large number of users, and swap to $ULME, thereby indirectly increasing the price of the token.

Step 7:

After the price increase, they swapped the $ULME token for BUSD, returned the amount borrowed during flash loan, and kept the remaining profit of 50,646 BUSD.

Aftermath#

Following the incident, the underlying price of the $ULME token increased to a high of 0.394 before falling to 0.08 at the time of this writing.

How to Prevent Such an Attack Vector#

In the indirect price manipulation attack, a trade on an AMM is utilised to discreetly influence the token price of a vulnerable DeFi application whose price mechanism is dependent on real-time status.

A flash loan attack can be mitigated to a greater extent by imposing a limit on the amount that can be borrowed in a single flash loan transaction, or using oracle-based services like ChainLink amongst many other precautions.

Protocol, and Platform Security#

Our security team at Neptune Mutual can validate your platform for DNS and web-based security, smart contract reviews, as well as frontend and backend security. We can offer you a solution to scan your platform and safeguard your protocol for known and unknown vulnerabilities that have the potential to have catastrophic long-term effects. Contact us on social media if you are serious about security and have the budget, desire, and feeling of responsibility to do so.

By

Tags

Exploit Analysis Flash Loan Attacks PancakeSwap Smart Contract Vulnerability BNB Chain Projects Ulme token Crypto Hacks

Related Posts

More Related Posts

Analysis of the Hedgey Finance Exploit

Learn how Hedgey Finance was exploited, resulting in a loss of assets worth $44.7 million.

Exploit Analysis

Understanding the Grand Base Exploit

Learn how Grand Base was exploited, resulting in a loss of assets worth $2.5 million.

Exploit Analysis

Analysis of the SQUID Game Coin Exploit

Learn how SQUID Game Coin was exploited, resulting in a loss of assets worth $87,000.

Exploit Analysis