YB token hack analysis
The YB Token suffered an exploit on April 16, 2024, resulting in an estimated loss of approximately $15K at the time of the exploit. The root cause of the exploit was the lack of slippage protection when charging fee to buy back tokens.
Overview
Attacker: https://bscscan.com/address/0x00000000b7da455fed1553c4639c4b29983d8538
Vulnerable Contract: https://bscscan.com/address/0xbdcd584ec7b767a58ad6a4c732542b026dceaa35
Transaction attack: https://bscscan.com/tx/0xe1e7fa81c3761e2698aa83e084f7dd4a1ff907bcfc4a612d54d92175d4e8a28b
Exploit Analysis
The YB Token contract contains logic within its _tokenTransfer function that automatically triggers an external bot contract to perform token swap operations—specifically swapBuy when a user sells YB tokens, and swapSell when a user buys them. While this automation is intended to streamline token interactions, it introduces a vulnerability: the triggered bot swaps are executed without enforcing proper slippage protection.
This lack of slippage safeguards means that attackers can manipulate token prices by injecting a small amount of tokens into the liquidity pool to artificially adjust the price. Once the price is temporarily distorted, the attacker can initiate a sequence of sandwich attacks—placing buy and sell transactions around the bot’s triggered swap. This allows the attacker to exploit the price difference caused by the unprotected swap and extract profit.
Lesson learned
Slippage protection is very important when using the Uniswap protocol. Contracts that automatically buy or sell tokens without slippage protection are attractive targets for exploiters, as they can easily perform sandwich attacks on automated transactions to take advantage of price fluctuations for profit. Always remember to use slippage protection when swapping, and avoid implementing automatic buy/sell functions in contracts whenever possible.
It is strongly recommended to conduct a security audit, whether it is a simple ERC20 contract with some minor changes or a complex DeFi protocol with hundreds of thousands of lines of code.