Cointime

Cointime

Download App
iOS & Android

SharkTeam: Analysis of the HashFlow Attack Incident

On June 14, 2023, Beijing time, HashFlow fell victim to a hacker attack, resulting in an estimated profit of around $600,000 for the attackers.

SharkTeam conducted a prompt technical analysis of the incident and has summarized security measures to be taken as a precautionary approach. It is our hope that this incident serves as a lesson for future projects, contributing to the strengthening of security defenses within the blockchain industry.

1. Incident analysis

Attacker address: 0xBDf38B7475Ff810325AA39e988fb80E0aA007E84

Attack contract: 0xDDb19a1Bd22C53dac894EE4E2FBfdB0A06769216

Attacked contract: 0x79cdFd7Bc46D577b95ed92bcdc8abAba1844Af0c

Attack transactions:

0xdedda493272b6b35660b9cc9070d2ea32ee61279b821184ff837e0a5752f4042

0xb08f6d3fc70b95223cfffc2c905d9c0467a589e5f652cd193e5c00b4ad329b99

0x08b5f35076beb363a7206b8f9b4a6460f42aa9f998b561582fb4e4cdd6f05dce

1. After deploying the attack contract (0xDDb19a1B), the attacker (0xBDf38B74) proceeded to call the Wooooo function within the attack contract (0xDDb19a1B).

2. The attack contract (0xDDb19a1B) called the function 0x0031b016 of the target contract (0x79cdFd7B) during the attack.

3. The function directly transferred the user's USDT tokens to the attack contract.

2. Vulnerability Analysis

The target contract (0x79cdFd7B) that was attacked is a deprecated HashFlow contract, which was abandoned in May of the previous year and was not open-source. Through reverse engineering, it can be observed that the contract transfers tokens from the "from" address to the "to" address. Based on analysis, it is highly likely that users had granted significant authorization to this contract before May of the previous year. However, after the contract was deprecated, these authorizations were not revoked, and due to potential issues with the restriction logic after deprecation, attackers were able to call functions in the deprecated contract to transfer user assets.

3. Subsequent Developments

After carrying out the attack, the attacker (0xBDf38B74) open-sourced the attack contract and left a message stating, "Before use recover, please revoke first. Your funds are not safe." This message serves as a reminder to users to revoke their authorizations to the targeted contract (0x79cdFd7B) before transferring their funds elsewhere.

The hacker left behind two functions. One function allows users to withdraw all their funds, while the other function leaves 10% of the assets as a reward for the attacker. Currently, users have started withdrawing their funds one by one.

4. Security Recommendations

The occurrence of this incident was due to the fact that the targeted contract (0x79cdFd7B) had received significant user authorizations in the past, and these authorizations were not revoked after its deprecation, resulting in user asset losses. To prevent similar attacks in the future, it is important to follow these precautions during the development process:

(1) Project developers should thoroughly validate and address any potential logic issues that may arise after deprecating a contract.

(2) Users should regularly review their account authorizations for different protocol contracts and promptly revoke authorizations for contracts they no longer interact with or have been upgraded.

(3) Before deploying contract upgrades, it is crucial to collaborate with professional third-party auditing teams to ensure security.

About us

SharkTeam’s vision is to comprehensively protect the security of the Web3 world. The team is composed of experienced security professionals and senior researchers from all over the world. They are proficient in the underlying theory of blockchain and smart contracts, and provide services including smart contract auditing, on-chain analysis, and emergency response. It has established long-term cooperative relationships with key players in various fields of the blockchain ecosystem, such as Polkadot, Moonbeam, polygon, OKC, Huobi Global, imToken, ChainIDE, etc.
Official website: https://www.sharkteam.org/
Twitter: https://twitter.com/sharkteamorg
Discord: https://discord.gg/jGH9xXCjDZ
Telegram: https://t.me/sharkteamorg

Web3 SharkTeam
Comments

All Comments

Recommended for you

  • DeepSeek-V4 Preview Version Officially Launched and Open-Sourced

    On April 24, DeepSeek announced via its official WeChat account that the preview version of the new model series DeepSeek-V4 is officially online and open-sourced. DeepSeek-V4 features a million-word ultra-long context and leads in agent capabilities, world knowledge, and reasoning performance in both domestic and open-source fields. The model is available in two versions based on size. Starting today, users can log in to the official website chat.deepseek.com or the official app to interact with the latest DeepSeek-V4 and explore the new experience of 1M ultra-long context memory. The API service has also been updated; by changing the model_name to deepseek-v4-pro or deepseek-v4-flash, users can access it.

  • Intel CEO: Semiconductor Potential Market Size Approaching $1 Trillion

    On April 24, local time, after the U.S. stock market closed on April 23, Intel officially released its Q1 fiscal year 2026 financial report and held an earnings call. The company delivered its sixth consecutive quarter of better-than-expected results, with revenue, gross margin, and earnings per share all surpassing guidance. The AI business has become the core growth engine, with a surge in demand for server CPUs and advancements in advanced processes and packaging exceeding expectations. Following this financial report, Intel's stock price surged nearly 20% in after-hours trading. During the earnings call, Intel CEO Pat Gelsinger stated that despite continuous improvements in factory capacity, demand across all business segments remains higher than supply, particularly for Xeon server CPUs, which are expected to maintain strong growth momentum over the next two years. Gelsinger also noted, 'In recent years, the focus in high-performance computing has been almost entirely on graphics processors and other accelerators. In recent months, clear signs have shown that central processing units are becoming an indispensable foundation in the era of artificial intelligence.' Looking at the overall market, Gelsinger anticipates that driven by explosive growth in AI demand, the overall potential market size of the semiconductor industry is approaching $1 trillion. However, Intel's management also warned that the company still faces multiple pressures, including declining demand in the PC market, rising costs, expanding capital expenditures, and supply constraints. (Dongxin News Agency)

  • Trump: U.S. to Soon Capture Nearly 50% of Chip Market

    On April 24, U.S. President Trump declared on the 23rd that the United States will soon capture nearly 50% of the chip market, warning that chip companies that do not manufacture in the U.S. will face very high tariffs in a year and a half to two years. U.S. Secretary of Commerce Gina Raimondo stated that the U.S. previously held only 3% to 4% of the chip market while having the largest demand for chips. Under Trump's directive, the U.S. is requiring semiconductor fabs to return to domestic production, with expectations that fabs worth $1 trillion will come to the U.S. Raimondo emphasized that this is not about tech giants purchasing chips, but rather about chip manufacturing. She mentioned commitments from Micron Technology to invest $200 billion and TSMC to invest $165 billion, along with $500 billion in funds from Taiwan expected to flow into the U.S. Raimondo also indicated during a congressional hearing on the 23rd that investments in the U.S. semiconductor industry during Trump's term are expected to reach $1 trillion. (Dongxin News Agency)

  • MetaPlanet Issues Zero-Coupon Bonds Worth 8 Billion Yen to Increase Bitcoin Holdings

    On April 24, according to market news: Japan's Bitcoin treasury company MetaPlanet issued zero-coupon ordinary bonds worth 8 billion yen (approximately 53 million USD), with 100% of the raised funds allocated to increasing Bitcoin holdings, continuing the 'Japanese version of MicroStrategy' aggressive coin acquisition strategy.

  • Trump to Speak at Cryptocurrency Conference in Florida on Saturday

    April 24, White House, USA: Trump will speak at a cryptocurrency conference in Florida on Saturday. (Jin Shi)

  • Deepseek Official Website Releases deepseek-v4 API Documentation

    On April 24, Deepseek's official website launched the deepseek-v4 API and model introduction, including deepseek-v4-flash and deepseek-v4-pro. (Jinshi)

  • US Spot Bitcoin ETF Sees Net Inflow of $223.16 Million Yesterday

    On April 24, according to monitoring by Trader T, the US spot Bitcoin ETF experienced a net inflow of $223.16 million yesterday.

  • Trump States He Will Not Use Nuclear Weapons Against Iran

    On April 24, according to CCTV International News, during an event at the White House on the afternoon of April 23, U.S. President Trump told the media that he could reach an agreement with Iran right now, but he wants the agreement to be 'permanent,' ensuring that Iran never has the chance to possess nuclear weapons. Therefore, he does not want to rush. Trump stated, 'There is plenty of time,' 'there is absolutely no pressure,' and 'the real pressure is on Iran,' which is unable to restore oil transportation under U.S. maritime blockade. He added that if Iran does not want to reach an agreement, he would 'complete the remaining tasks through military means.' When asked if he would consider using nuclear weapons against Iran, Trump replied, 'No,' and stated that even without launching a nuclear strike, the U.S. has already 'completely destroyed' Iran. When pressed by reporters on why the conflict was not resolved within the initially stated 4 to 6 weeks, Trump repeatedly mentioned that the U.S. fought in the Vietnam War for 18 years, and claimed that the U.S. had actually 'militarily taken down Iran' within 6 weeks; now it is just a matter of 'both sides taking a break.' (Dongxin News Agency)

  • BTC Rises Above $78,000

    Market data shows that BTC has risen above $78,000, currently priced at $78,118, with a 24-hour decline narrowing to 0.82%. The market is experiencing significant volatility, so please ensure proper risk management.

  • Web3 data and AI company Validation Cloud completes $10 million in new round of financing

     Web3 data and AI company Validation Cloud announced a $10 million financing round from True Global Ventures. The company plans to use the funds to expand its AI products and achieve seamless access to Web3 data.

Daily Must-Read

Popular Activities

RaveDAO at Terra Solis by Tomorrowland: A Female-Led Techno Night Where Web3 Culture Converges

RaveDAO at Terra Solis by Tomorrowland: A Female-Led Techno Night Where Web3 Culture Converges

April 30 - April 30
Dubai

Popular Tags

Cointime
News
Contents
RSS
Company