Slow Fog: The Numbers Protocol token project has a serious vulnerability and has been attacked. Please revoke authorization as soon as possible

2022-11-23 18:01:39
Collection

ChainCatcher news, according to the Slow Mist security team's intelligence, the Numbers Protocol (NUM) token project on the ETH chain has been attacked, with the attacker profiting approximately $13,836.

The Slow Mist security team shared the following in a brief:

  1. The attacker created a malicious anyToken token, which is the attack contract (0xa68cce), and the underlying token of this malicious token contract points to the NUM token address;
  2. Then, they called the anySwapOutUnderlyingWithPermit function of the Router contract of the Multichain cross-chain bridge. This function takes anyToken as input and calls the permit function of the underlying token for signature approval, then exchanges the authorized user's underlying token to a specified address. However, since the NUM token does not have a permit function and has a callback feature, even if the attacker inputs a fake signature, it can still return normally, causing the transaction not to fail, resulting in the NUM tokens of the victim's address being ultimately transferred to the specified attack contract;
  3. The attacker then exchanged the profited NUM tokens for USDC through Uniswap and then converted them to ETH for profit;

The main reason for this attack is that the NUM token does not have a permit function and has a callback feature, allowing fake signatures to deceive the cross-chain bridge, leading to unexpected transfers of user assets. (Source link)

ChainCatcher reminds readers to view blockchain rationally, enhance risk awareness, and be cautious of various virtual token issuances and speculations. All content on this site is solely market information or related party opinions, and does not constitute any form of investment advice. If you find sensitive information in the content, please click "Report", and we will handle it promptly.
banner
ChainCatcher Building the Web3 world with innovators