Background
On May 8, 2024, a GPU attack on the BNBSmart Chain on-chain project was detected, and the attack hash was: https://bscscan.com/tx/0x2c0ada695a507d7a03f4f308f545c7db4847b2b2c82de79e702d655d8c95dadb
The attacked project was a GPU, and the attack caused a total loss of USD 32,400.
Attack and incident analysis
The attacker first borrowed 226007 BUSD from DODO using flashloan
Subsequently, these BUSDs were exchanged for GPU Tokens in PancakeSwap, and a total of 26,992 GPUs were exchanged.
Then, the attacker continues to transfer money to himself through transfer.
The vulnerability appears in the transfer function of the GPU token, as shown in the following figure:
As you can see, the transfer of the GPU token ultimately calls the _transfer function of the parent contract, that is, the _transfer function of the ERC20 contract, as shown in the following figure:
From the above code, we can see that when making a transfer, the balance of from and to is first saved to the variables senderAmount and recipientAmount, and then the values of senderAmount and recipientAmount after the transfer are calculated, and finally updated to balances. However, when from and to are the same address, updating from first and then to is actually adding an amount of tokens to to to out of thin air. Therefore, the attacker continuously transfers money to himself to increase the number of GPU tokens out of thin air.
Finally, the GPU tokens obtained by the attack were exchanged for BUSD through PancakeSwap, making a profit of 32,400 USD.