Another DeFi Hack leads to $3 million in Ethereum, BNB losses; Details

Lavina Daryanani

The Fegtoken ecosystem has been hacked more than once over the last couple of days. On 16 May, the DeFi project’s FEGexPRO contract on both Ethereum and BNB Chain was exploited for approximately 3,280 BNB and 145 Ethereum via a flashloan attack.

As such, Fegtoken is a decentralized transaction network on Ethereum and Binance Smart Chain and it is driven by its native deflationary FEG token.

During the early hours of Tuesday, the Fegtoken ecosystem was attacked again, by an alleged new attacker. This time, funds worth close to $1.9 million were drained.

The attackers had exploited the Swap-to-Swap functionality in the Fegtoken swap contract on Binance Smart Chain and Ethereum and in all have managed to drain approximately $3.188 million in total.

Reacting to the same, the FEG token was down by more than 13% in the day’s trade.

Analyzing how the attack was executed

Blockchain Security and Audit Service firm Beosin chalked out how the initial attack was executed. Per their analysis, the hacker initially called the attack contract to flash loan 915.84 WBNB from the DVM contract and then converted 116.81 WBNB into 115.65 fWBNB to prepare for the subsequent attack.

Essentially, the hacker used the attack contract to create 10 contracts. He then staked the redeemed fWBNB tokens to the FEGexPRO contract and then repeatedly called the depositInternal and swapToSwap functions to let the FEGexPRO contract approve fBNB to the other contracts previously deployed.

Then, the transferFrom function was called using other attack contracts to transfer all the fBNBs in the FEGexPRO contract to the attack contract. The hacker then borrowed 31,217,683,882,286.007211154 FEG tokens and 423 WBNB from an LP trading pair contract.

The aforementioned steps were repeated several times to “steal” a large amount of FEG tokens from the FEGexPRO contract into the attack contract. The flash loan was then returned and the obtained WBNB was transferred to the attack contract to complete this attack.

“More than 50 identical attacks have been executed using the same method, with a total profit of about 144 ETH and 3280 BNB.”

Source: Beosin

On Monday, blockchain, and security analysis company PeckShield Inc. was seen working with the Fegtoken team on pausing and rescuing the stolen funds.