Analysis of the Four.meme Attack Incident

Author: Zero Time Technology

Background Introduction

four.meme is a memecoin launchpad similar to pump.fun, incubated by Binance Academy.

We have detected that the memecoin snowboard on the platform (https://four.meme/token/0x4abfd9a204344bd81a276c075ef89412c9fd2f64) has suffered a hacker attack, resulting in a loss of approximately 15,000 USD. The attack transaction is: https://bscscan.com/tx/0x2902f93a0e0e32893b6d5c907ee7bb5dabc459093efa6dbc6e6ba49f85c27f61

Attack and Incident Analysis

Technical Principles of four.meme

four.meme is a memecoin launchpad on the BNB Smart Chain, similar to pump.fun. Such launchpad platforms generally have three stages:

• Stage 1: Users create memecoins on the platform by customizing the name, logo, description, social accounts (optional), etc.

• Stage 2: Other users can buy and sell the memecoin on the platform.

• Stage 3: When the market capitalization of the memecoin reaches a certain threshold (24 BNB), it will be migrated to a DEX (PancakeSwap).

Now, let's take a detailed look at the specific technical details of each stage.

Stage 1

Users fill in the specific information needed to create the memecoin through the interface on the launchpad platform.

Once completed, the payment of the fee finalizes the creation of the memecoin's on-chain contract. Of course, this contract is created by the official launchpad contract, so the owner of the created ERC-20 Token is also the official launchpad contract. Below is an example of a memecoin creation on four.meme:

First, the user pays the fee, and the official launchpad contract completes the deployment of the memecoin's ERC-20 Token contract, minting 1,000,000,000 initial funds (the expected total virtual pool for this memecoin is 30 BNB).

Subsequently, we see that the owner of the created Token is also the smart contract of the launchpad official website.

This indicates that although the memecoin is created by the user on the launchpad, the owner of the on-chain ERC-20 contract is not the user. This design prevents users from minting or engaging in other malicious behaviors. Once the memecoin smart contract is deployed on-chain, it enters the second stage, where all users on the platform can buy and sell.

Stage 2

Other users on the platform can buy and sell through the platform; however, the tokens bought and sold cannot be transferred to other users via transfer. We can take a look at the source code of the on-chain ERC-20 Token.

In the _beforeTokenTransfer, the transfer is restricted through the parameter _mode.

At this point, we can see that the mode corresponding to the Stage 2 Token is 1, which is MODETRANSFER_RESTRICTED, restricting transfers to third parties.

This measure is to prevent the impact of OTC trading on the price. When buying and selling, the four.meme contract first sets the _mode to 2 and then uses transfer to transfer to the user. After the transfer is completed, it sets the _mode back to 1, restricting other users from transferring, thus completing the transfer of the purchased memecoin.

Stage 3

When the market capitalization of the memecoin reaches 24 BNB, the Bonding Curve Process reaches 100%. The official launchpad will then migrate the remaining 20% of the memecoin and 24 BNB to the DEX PancakeSwap. At this point, Stage 3 is officially completed. The following transaction is the official launchpad migrating the memecoin to PancakeSwap.

We can see that first, the official launchpad sets the mode of the memecoin to 0, which is MODENORMAL, allowing users to engage in OTC trading. Next, the official launchpad creates a trading pair for the memecoin and WBNB, and finally adds liquidity of 23.5 BNB (of which 0.5 BNB is a fee) and 200 million memecoins to that trading pair. The price for adding liquidity is sqrtPriceX96 = 27169599998237907265358521. The calculation formula for sqrtPriceX96 is as follows:

Therefore, the price of the memecoin when adding liquidity is 0.0000001175 WBNB, which can also be obtained by dividing 23.5 WBNB by 200 million memecoins, so the price for each coin migrating to the DEX is the same: 0.0000001175 WBNB.

Attack Principle

After understanding the entire lifecycle of the memecoin on four.meme, let's take a closer look at the attack process. First, the attacker created a pre-initialized DEX trading pair in advance. They set the sqrtPriceX96 of the trading pair to 10000000000000000000000000000000000000000, which is 368058418256012 times larger than the normal value.

When the bond curve process of the memecoin reaches 100%, and the launchpad migrates the memecoin to the DEX, it uses createAndInitializePoolIfNecessary to create the trading pair. Since the trading pair was previously created and initialized by the attacker, liquidity is added at the price initialized by the attacker. This effectively inflated the price of the memecoin.

At this point, the launchpad used 1 memecoin and 23.5 WBNB to add liquidity. Subsequently, the suspected attacker used 1600 memecoins to exchange for 23.4 WBNB in the trading pair, thus completing the attack.

Conclusion

The cause of this vulnerability lies in the fact that when the bonding curve process in Four.meme reaches 100% and migrates to the DEX, it uses createAndInitializePoolIfNecessary to create the PancakeSwap trading pair. It did not consider the situation where the trading pair had already been created in advance. By incorrectly using the trading pair that had been created and initialized by the attacker, liquidity was added at the erroneous price set by the attacker, leading to a surge in the price of the memecoin after migration. Subsequently, the attacker exploited the memecoins in hand to drain the WBNB from the pool, completing the attack. It is recommended that project teams conduct multiple validations when designing economic models and code operation logic, and choose multiple auditing firms for cross-auditing before contract deployment.