iVest Token Vulnerability: How an Attacker Manipulated Prices Using the Donation Feature
iVest, a project on the Binance Smart Chain, suffered an exploit on August 12, 2024, resulting in an estimated loss of approximately $172,000 at the time of writing. The incident highlights vulnerabilities in the custom transfer function of ERC20 used to provide additional features such as tax and donations.
Overview
Attacker:
https://bscscan.com/address/0x4645863205b47a0A3344684489e8c446a437D66C
Vulnerable Contract:
https://bscscan.com/address/0x786fcf76dc44b29845f284b81f5680b6c47302c6
Transaction attack: https://bscscan.com/tx/0x12f27e81e54684146ec50973ea94881c535887c2e2f30911b3402a55d67d121d
Exploit Analysis
The attack focused on the __MakeDonation function, which is invoked when transferring iVest tokens. This function burns or donates additional tokens from the sender in certain cases. Deducting more tokens than the sending amount from the sender causes serious issues in the swap pool because the attacker can use it to decrease the number of tokens in the pool, altering the k ratio and enabling price manipulation.
The attacker first flashloans WBNB and swaps it for iVest tokens. Then, they transfer an amount of iVest tokens to the WBNB/iVest pair and skim (transfer out tokens to force balances to match reserves) the tokens to address(0), which triggers __MakeDonation to burn more tokens from the reserve of the pool. This is followed by performing a sync to manipulate the k ratio. The price of the iVest token is now much higher than at the beginning, allowing the attacker to swap the remaining iVest tokens back to WBNB and profit from the increased price.
Lesson learned
The ERC20 contract is critically important because it manages all the funds within the ecosystem. Therefore, developers must exercise extreme caution when creating one. Avoid customizing the logic within the ERC20 contract whenever possible. Any custom logic for the transfer function should be handled with extreme caution when performing swaps between tokens in an AMM pool.
It is strongly recommended to conduct a security audit, whether it is a simple ERC20 contract with some minor changes or a complex DeFi protocol with hundreds of thousands of lines of code.