Decoding TrustPad’s $155k Exploit

Summary

On the 7th of November 2023, TrustPad was attacked. The attack was made possible due to a logical flaw in the staking contract. Around $151k worth of tokens were stolen by the attacker.

About Project

TrustPad is a multi-chain launchpad. For more information, check out their website.

Vulnerability Analysis & Impact

On-Chain Details

Attacker Address: 0x1a7b15354e2f6564fcf6960c79542de251ce0dc9

Victim Contract: 0x1694d7fabf3b28f11d65deeb9f60810daa26909a

The Root Cause

• The root cause of the exploit was a logic flaw in TrustPad’s Staking Contract

• The receiveUpPool() function was responsible for accepting the upPool request from another pool and moves the specified amount of tokens from the user and then re-locks, and then change the lock time period to now. Here, upPool means moving the tokens to another pool.

• Notice how msg.sender is not verified in the above contract. This allowed attacker to continuously call receiveUpPool() and withdraw()

• Consequently, the attacker acquires the capability to immediately withdraw all staked funds and boost the pending reward status through the execution of the withdraw() function.

• Following the repetition of these actions, the attacker employs the stakePendingRewards() function to move all pending rewards into the staked amount state, enabling them to withdraw these rewards as profit later using the withdraw() function.

Attack Process

• First, the attacker deposit TPAD token into LaunchpadLockableStaking contract with the help of receiveUpPool() function.

• Then the attacker repeatedly call stakePendingRewards() and withdraw function to increase the impact of the attack.

• Finally, the attacker was able to withdraw all the funds.

Flow of Funds

Here is the fund flow during and after the exploit. You can see more details here.

Soon after the hack, the attacker started to transfer funds to Tornado Cash. See here.

After the Exploit

The Project acknowledged the hack via their Twitter.

Incident Timelines

Nov-06-2023 04:02:52 PM +UTC – The attacker started the attack after creating a malicious contract.

Nov-07-2023 01:56:56 AM +UTC – The attacker repeatedly called vulnerable function. This was the last transaction spotted

Nov-07-2023 12:32:42 PM +UTC – The attacker started depositing funds to Tornado Cash.

Price Impact

The price of the TPAD token dropped from $0.120 to $0.0016 immediately following the attack. It is currently trading at $0.0011 as of the time of writing this blog. See here.

How could they have prevented the Exploit?

Insufficient input validation and logical flaws have been the target of hackers for a very long time.

It is recommended for protocols to prioritize testing and fuzzing to ensure all the edge cases have been successfully mitigated.

Why QuillAudits For Web3 Security?

• QuillAudits is well-equipped with tools and expertise to provide cybersecurity solutions saving the loss of hundreds of protocols in funds.

• Our team of highly skilled auditors have secured over 1M lines of code and $30B in amount.

• Over the course of multiple years, QuillAudits has been proven to be one of the top choices for protocols to get their codebases audited.

Partner with QuillAudits

• OG Program (Opportunities for Listing Managers, KOLs, Top Advisors and Investors with access to early stage Web3 projects)

• QuillAudits Partnership Programme (Venture funds, launchpads, development companies, marketing firms, web2 cybersecurity firms, web3 products)

• WAGSI Program(Claim audit credits to avail exclusive discounts on our auditing package, and additional credits for our automated web3 security infra- QuillShield)