Type: #logicFlow
Project: Levyathan
Date: 28/07/21
Blockchain: BSC
Problem: The Levyathan developers left the private keys to a wallet with minting capability available on Github.
The Levyathan protocol faced two critical issues:
* Lost keys and minting.
* Vulnerable emergencyWithdraw.
1. In Levyathan’s authorization system, a function was added to the MasterChef by the developer to recover the token’s ownership. Presumably, this was done in order to allow to create a v2 of the contract, with enhanced features. Only its owner, the Timelock, had the permission to change it.
On Jul 28th, 2021, the owner of the Timelock, which wasn’t a multisig contract, passed a transaction through the Timelock, scheduling an ownership transfer. And on Jul 30th, 2021, the transaction was executed, the hacker gained control over the LEV token and minted lot's of tokens.
2. Since the Masterchef lost its ownership of the token, it couldn’t mint tokens when users withdrew, which triggered errors. Usually, such problem can be mitigated with the emergencyWithdraw() function, which returns the staked tokens without any rewards. Emergency withdraw returned an amount of tokens equal to rewardDebt and not user.amount rewardDebt is an intermediary variable used by the contract to compute the final rewards owed to the staker, which is usually higher than the real reward.
The Hacker:
1) Visits github, searches for private key leak.
2) Transfers ownership of token from Masterchef to yourself, mint and sell tokens.
After, users starts using emergencyWithdraw and withdraw more tokens that they should receive.
Discoverer: NaN. was hacked
Harm: 1.5 M $
link
Project: Levyathan
Date: 28/07/21
Blockchain: BSC
Problem: The Levyathan developers left the private keys to a wallet with minting capability available on Github.
The Levyathan protocol faced two critical issues:
* Lost keys and minting.
* Vulnerable emergencyWithdraw.
1. In Levyathan’s authorization system, a function was added to the MasterChef by the developer to recover the token’s ownership. Presumably, this was done in order to allow to create a v2 of the contract, with enhanced features. Only its owner, the Timelock, had the permission to change it.
On Jul 28th, 2021, the owner of the Timelock, which wasn’t a multisig contract, passed a transaction through the Timelock, scheduling an ownership transfer. And on Jul 30th, 2021, the transaction was executed, the hacker gained control over the LEV token and minted lot's of tokens.
2. Since the Masterchef lost its ownership of the token, it couldn’t mint tokens when users withdrew, which triggered errors. Usually, such problem can be mitigated with the emergencyWithdraw() function, which returns the staked tokens without any rewards. Emergency withdraw returned an amount of tokens equal to rewardDebt and not user.amount rewardDebt is an intermediary variable used by the contract to compute the final rewards owed to the staker, which is usually higher than the real reward.
The Hacker:
1) Visits github, searches for private key leak.
2) Transfers ownership of token from Masterchef to yourself, mint and sell tokens.
After, users starts using emergencyWithdraw and withdraw more tokens that they should receive.
Discoverer: NaN. was hacked
Harm: 1.5 M $
link