Web3 Security Alert: A New Game of Cat and Mouse on the Chain, Sniper Bots Targeting Taxpayers
Today's article analyzes another type of RugPull technique used by the group, using the token "ZhongHua" as an example: masking the transfer function that can be used for RugPull with complex tax functionality logic. Next, we will analyze another detail of the RugPull technique in the case of the "ZhongHua" token at address 0xdf1a.
Background
In a previous article by CertiK titled "Revealing a Large-Scale RugPull Scheme Targeting New Robots on the Chain," it exposed an automated harvesting machine address 0xdf1a for a large-scale exit scam (referred to as RugPull) that completed over 200 RugPulls in just about two months. However, this group did not only use one RugPull technique.
The previous article used the MUMI token as an example to describe the RugPull technique of the group behind that address: by directly modifying the token balance of the tax collection address through a code backdoor, without changing the total token supply or sending a Transfer event, making it impossible for users viewing etherscan to detect the project team's secret token minting behavior.
Today's article analyzes another RugPull technique of the group using the token "ZhongHua" as an example: masking the transfer function that can be used for RugPull with complex tax functionality logic. Next, we will analyze the details of another RugPull technique of address 0xdf1a through the "ZhongHua" token case.
Deep into the Scam
In this case, the project team exchanged a total of 9.99 trillion ZhongHua for approximately 5.884 WETH, depleting the pool's liquidity. To delve deeper into the entire RugPull scam, let's review the events from the beginning.
Token Deployment
At 1:40 am on January 18 (UTC time, the same below), the attacker address (😈0x74fc) deployed an ERC20 token named ZhongHua (🪙0x71d7) and pre-mined 10 billion tokens to send to the attacker address (😈0x74fcfc).
The pre-mined token quantity matches the quantity defined in the contract source code.
Adding Liquidity
At 1:50 (10 minutes after token creation), the attacker address (😈0x74fc) granted approval to the Uniswap V2 Router for the ZhongHua token to prepare for adding liquidity.
One minute later, the attacker address (😈0x74fc) called the addLiquidityETH function in the Router to add liquidity to create the ZhongHua-WETH liquidity pool (🦄0x5c8b), adding all pre-mined tokens and 1.5 ETH to the liquidity pool, finally obtaining approximately 1.225 LP tokens.
From the above token transfer records, we can see that one transfer is the attacker (😈0x74fc) sending 0 tokens to the ZhongHua token contract itself.
This transfer is not a regular transfer for adding liquidity. By examining the token contract source code, it was found that there is a _getAmount function that is responsible for deducting from the sender's address and calculating the fee to be charged, then sending the fee to the token address, and triggering the Transfer event indicating that the token address has received the fee.
The _getAmount function will check if the sender of the transfer is the _owner, and if so, it will set the fee to 0. The _owner is assigned when the Ownable contract is deployed by the input parameter of the constructor function.
The ZhongHua token contract inherits the Ownable contract and assigns the deployer's msg.sender as the input parameter of the Ownable constructor function during deployment.
Therefore, the attacker address (😈0x74fc) is the _owner of the token contract. The 0 token transfer during liquidity addition is sent through the _getAmount function because _getAmount is called within the transfer and transferFrom functions.
Permanently Locking Liquidity
At 1:51 (within 1 minute of creating the liquidity pool), the attacker address (😈0x74fc) directly sent all 1.225 LP tokens obtained from adding liquidity to the address 0xdead to permanently lock the LP tokens.
Similar to the MUMI token case, once the LP is locked, theoretically the attacker address (😈0x74fc) no longer has the ability to perform RugPull by removing liquidity. In the RugPull scam targeting new robots led by address 0xdf1a, this step is mainly used to deceive anti-fraud scripts of new robots.
So far, from the user's perspective, all pre-mined tokens have been used to add to the liquidity pool, and no abnormal situations have occurred.
RugPull
At 2:10 am (about 30 minutes after the creation of the ZhongHua token), attacker address 2 (👹0x5100) deployed an attack contract (🔪0xc403) specifically for RugPull.
Similar to the MUMI token case, the project team did not use the attack address that deployed the ZhongHua token contract, and the attack contract used for RugPull is not open-source. The purpose is to increase the difficulty of tracing by technical personnel, a common feature in most RugPull scams.
At 7:46 am (about 6 hours after the token contract was created), attacker address 2 (👹0x5100) executed the RugPull.
By calling the "swapExactETHForTokens" method of the attack contract (🔪0xc403), they exchanged approximately 9.99 trillion ZhongHua tokens for about 5.884 ETH and depleted most of the liquidity in the pool.
Since the attack contract (🔪0xc403) is not open-source, we decompiled its bytecode, and the result is as follows:
https://app.dedaub.com/ethereum/address/0xc40343c5d0e9744a7dfd8eb7cd311e9cec49bd2e/decompiled
The main function of the "swapExactETHForTokens" function in the attack contract (🔪0xc403) is to first grant UniswapV2 Router the maximum amount of ZhongHua token transfer permission, then exchange the specified quantity "xt" of ZhongHua tokens (owned by the attack contract (🔪0xc403)) for ETH through the Router and send it to the "rescue" address declared in the attack contract (🔪0xc403).
You can see that the address corresponding to "_rescue" is the deployer of the attacking contract (🔪0xc403): the attacker's address 2 (👹0x5100).
The input parameter xt of this RugPull transaction is 999,000,000,000,000,000,000, corresponding to 9.99 billion ZhongHua tokens (ZhongHua's decimal is 9).
Finally, the project party used 9.99 billion ZhongHua to deplete the WETH in the liquidity pool, completing the RugPull.
Similar to the MUMI case in the previous article, we need to first confirm the source of ZhongHua tokens in the attacking contract (🔪0xc403). From the previous text, we know that the total supply of ZhongHua tokens is 1 billion. However, after the RugPull, we found that the total supply of ZhongHua tokens queried in the block explorer is still 1 billion, but the number of tokens sold by the attacking contract (🔪0xc403) is 9.99 billion, which is 999 times the total supply recorded in the contract. Where did these tokens, far exceeding the total supply, come from?
We examined the ERC20 transfer event history of the contract and found that, similar to the MUMI token RugPull case, in the ZhongHua token case, the attacking contract (🔪0xc403) also did not have any ERC20 token transfer-in events.
In the MUMI case, the tokens of the tax contract came directly from the modification of the balance in the token contract, allowing the tax contract to directly possess tokens far exceeding the total supply. Since the MUMI token contract does not correspondingly modify the totalSupply of the token when modifying the balance, nor does it trigger a Transfer event, we cannot see the token transfer-in record of the tax contract in the MUMI case, as if the tokens used by the tax contract for RugPull appeared out of thin air.
Returning to this ZhongHua case, the ZhongHua tokens in the attacking contract (🔪0xc403) also seem to have appeared out of thin air, so we also searched for the keyword "balance" in the ZhongHua token contract.
The results show that there are only three modifications to the balance variable in the entire token contract, in the "_getAmount", "_transferFrom", and "_transferBasic" functions, respectively.
Among them, "_getAmount" is used to handle the logic of collecting transfer fees, while "_transferFrom" and "_transferBasic" are used to handle the transfer logic, without any statements directly modifying the balance as clearly as in the MUMI token case shown in the figure below.
More importantly, in the ZhongHua token contract, whether in the "_getAmount", "_transferFrom", or "_transferBasic" functions, after modifying the balance, they correctly trigger the Transfer event. This is in conflict with the situation where we could not find the token transfer-in Transfer event related to the attacking contract (🔪0xc403) when querying the Transfer events.
Is it possible that, unlike the MUMI case, the tokens in the attacking contract (🔪0xc403) this time really appeared out of thin air?
Methodology Revealed
Where Did the Tokens in the Attacking Contract Come From
During the analysis of the case, when we found that every modification of the balance in the ZhongHua contract correctly triggered the Transfer event, but still could not find any records or Transfer events related to token transfers to the attacking contract (🔪0xc403), we needed to find a new analytical approach.
We searched through a large number of transfer records and even considered the "performZhongSwap" function in the contract as a breakthrough. This function is responsible for selling the tokens in the token contract, and in many other RugPull events we analyzed, there are many cases where such functions serve as RugPull backdoors.
Despite checking other functions, we still found nothing. So we began to focus on the "transfer" function itself. No matter how the attacker conducts the RugPull, the implementation logic of the "transfer" function must contain the most important information.
The Fatal Transfer
The "transfer" function in the token contract directly calls the "_transferFrom" function.
It seems that the "transfer" function carries out token transfer operations, and after the transfer is completed, it triggers the Transfer event.
However, before carrying out the token transfer, the "transfer" function first uses the "_isNotTax" function to check if the sender of the transfer is a tax-exempt address: if not, it uses the "_getAmount" function to collect taxes; if it is, no taxes are collected, and the tokens are sent directly to the recipient. And this is where the problem lies.
As mentioned earlier, in the implementation of "_getAmount", the token contract verifies the sender's balance, deducts the amount from the sender, and then sends the fee to the token contract.
The problem is that "_getAmount" is only called when the sender is not a tax-exempt address. When the sender is a tax-exempt address, the recipient's balance is directly increased by the amount.
At this point, the problem becomes very clear: when a tax-exempt address acts as the sender for a transfer, the token contract does not verify whether the sender's balance is sufficient, or even deduct the amount from the sender's balance. This means that as long as the token contract defines an address as tax-exempt, it can send any amount of tokens to any address. This is the reason why the attacking contract (🔪0xc403) was able to transfer out tokens 999 times the total supply.
Upon inspection, it was found that the token contract only sets _taxReceipt as a tax-exempt address in the constructor, and _taxReceipt corresponds to the address of the attacking contract (🔪0xc403).
This confirms the method of RugPull for ZhongHua token: The attacker used specific logic to bypass the balance check of privileged addresses, allowing the privileged address to transfer tokens out of thin air, thus completing the RugPull.
How to Profit
Using the above vulnerability, attacker address 2 (👹0x5100) directly called the attack contract with privileges (🔪0xc403) to execute "swapExactETHForTokens" and complete the RugPull. In the "swapExactETHForTokens" function, the attack contract (🔪0xc403) granted token transfer permission to Uniswap V2 Router, then directly called the Router's token exchange function, exchanging 9.99 billion ZhongHua tokens for 5.88 ETH from the pool.
In addition to the RugPull transaction mentioned above, the project team also sold tokens 11 times through the attack contract (🔪0xc403), accumulating 9.64 ETH. Including the final RugPull transaction, a total of 15.52 ETH was obtained. The cost was only 1.5 ETH for adding liquidity, a small amount of fees for deploying contracts, and a small amount of ETH spent on inducing new robot trading and active exchanges.
At one point, the project team even used different EOA addresses to call the attack contract (🔪0xc403) for token sales, making it appear as if different senders were selling tokens to disguise their continuous cash-out intentions.
Summary
Reflecting on the entire RugPull case of the ZhongHua token, it is found that the method itself is quite simple, just canceling the token balance check of privileged addresses. However, why wasn't it so smooth when analyzing this case? There may be two main reasons:
1. Different perspectives on security protection and attacks. For security professionals, balance checks in the code are the most basic security measures that need to be completed. Therefore, most security professionals subconsciously assume that the "transfer" function will naturally verify user balances, relaxing their vigilance against such vulnerabilities (or believing that such vulnerabilities are too basic for attackers to exploit).
However, from the attacker's perspective, the most effective attack method is often the simplest: not verifying balances as a straightforward and easily overlooked RugPull technique, there is no reason not to use it. In fact, at least from the case characterization, the traces left by the RugPull method in the ZhongHua token case are minimal, making it much more difficult to trace than other types of RugPull, ultimately requiring manual code auditing to locate the backdoor.
2. The project team consciously concealing the backdoor code that privileged addresses do not need to verify balances. The project team even separately implemented a complete tax transfer calculation logic for non-privileged addresses, as well as logic for withdrawing and reinvesting token addresses, making the token's complex transfer logic appear reasonable. When ordinary addresses make transfers, it is indistinguishable from normal behavior, and without carefully examining the code, no clues can be found.
Comparing the RugPull methods of the team for MUMI token and ZhongHua token, both used relatively covert methods to give privileged addresses control over a large number of tokens.
In the MUMI token RugPull case, the project team directly modified balances without changing totalSupply or triggering Transfer events, making users unaware that privileged addresses already had a large number of tokens.
In the case of the ZhongHua token, it was even more thorough, by directly not verifying the balance of privileged addresses, making it impossible to discover through any means other than viewing the source code that privileged addresses had unlimited tokens (a balanceOf query for the privileged address would show 0 balance, but could still transfer an infinite amount of tokens).
The RugPull case of the ZhongHua token reflects potential security issues in token standards. The ERC20 token standard can only constrain the righteous and cannot prevent the wicked. Attackers often hide imperceptible backdoors while implementing business logic that complies with the standard. By standardizing token behaviors, although flexibility is reduced, the possibility of hidden backdoors is avoided, providing more security safeguards.
Disclaimer: The content of this article solely reflects the author's opinion and does not represent the platform in any capacity. This article is not intended to serve as a reference for making investment decisions.
You may also like
2024 Crypto Developer Report SummaryExecutive Summary
Digital Veblen Goods and Fees
Musings on the Future of Actually Smart Wallets
Bitwise CIO: Биткойн может достичь $200 000 без краха доллара