Someone has just hacked $1m from Wanaka Farm (WANA)?
Verichains Lab, together with BShield, has investigated a critical but simple bug that costed million USD to a NFT Game named Wanaka Farm.
Wanaka Farm is a NFT and Play to Earn game. The game was published Oct 29, 2021 but had to be closed to fix deposit errors immediately after the release.
Sound interesting, we decided to make a little investigation and found something interesting:
On 11/11/2021, someone sent the following transactions:
1. Create 1000 wallets, disperse 0.02BNB each wallet for transaction fee.
https://bscscan.com/tx/0x9bd6611c36ee393d0a3fad938911c2b91db743f3851e392e2d22c89421bcf7b2
https://bscscan.com/tx/0x97e9f37bcd63766cddf017a307c1376e2c745f8092242df9afc8024a897f2e2a
2. Transferred 270 WANA into one of the above wallets. From the wallet deposit 270 WANA to smart contract 0x164664fcf89f3b722bcba6f02f2c9e3b9081c2a1. Trigger withdraw from the contract back to the wallet 6 times. Then move 270 WANA to another wallet and extra 1350 WANA concentrated into main wallets.
3. Repeat step 2 in the next wallet which received the original 270WANA.
Looking inside the withdrawal transaction, it was initiated from 0x97b4f4a0290c4b7f50bcbf1f908a1f81b7d29ca1. So I guess it was a backend API used to have the operator at 0x97b4… trigger the smart contract withdraw function.
For some reason, it looks like the backend API keeps triggering the withdrawal without waiting for balance confirmation. The developers had shut down the backend API to fix the issues. But the damage was already done. The attacker collected all WANA into 0x1f7234eabcb85242f15e3fd8962b70a4caf92b4c and other wallets then sold about $310k for profit. They stopped selling when the price dropped too fast and still hold a lot of WANA. Estimate 1000 wallets x 1350WANA ~ 1m WANA stolen. The attacker might have earned $1–2 million USD.
Some wallets of the attacker:
0xb23067D4660f0E2de2978dc8Bda1432986709554: 235k BUSD + 125k WANA
0xD704b5CDf9737997b89181DFe4fd8457F3E42F53: 235k BUSD
0xAC68f671A876Bff46a66CFFFE064F0283d59BC91: 245k BUSD
Someone has just hacked $1m from Wanaka Farm (WANA)? was originally published in VeriChains Lab on Medium, where people are continuing the conversation by highlighting and responding to this story.