Four.meme attack event analysis

Author: Zero-Shi Technology

Background introduction

four.meme is a Binance Academy hatched with a memecoin launchpad similar to pump.fun.

We monitored that the memecoin snowboard ( https://four.meme/token/0x4abfd9a204344bd81a276c075ef89412c9fd2f64 ) on the platform was hacked. Loss of approximately USD 15,000. The attack transaction is: https://bscscan.com/tx/0x2902f93a0e0e32893b6d5c907ee7bb5dabc459093efa6dbc6e6ba49f85c27f61

Attack and Event Analysis

four.meme technical principle

four.meme is a memecoin launchpad similar to pump.fun on bnb smartchain. Similar launchpad platforms have three main stages:

•Stage 1: Users create memecoin in platform custom name, logo, description, social account (optional), etc.

•Stage 2: Other users can buy and sell the memecoin on the platform

•Stage 3: When the market value of the memecoin reaches a certain threshold (24 BNB), migrate it to DEX (PancakeSwap)

Below, we will learn more about the specific technical details of each stage.

Stage 1

On the launchpad platform, users fill in the specific information about the memecoin that needs to be created through the interface.

After filling in, pay the handling fee and complete the creation of memecoin's on-chain contract. Of course, this contract is created by the official launchpad contract, so the owner of the created ERC-20 Token is also the official launchpad contract. Below we can take a look at an example of creating a memecoin in four.meme:

First, the user pays the handling fee, the launchpad official contract completes the deployment of memecoin's ERC-20 Token contract, and mint 1,000,000,000 initial funds (the total amount of virtual pool for memecoin is 30 BNB),

Later, we saw that the owner of the created Token is also a smart contract on the launchpad official website.

This means that although memecoin is created by the user on launchpad, the owner of the ERC-20 contract on the chain is not the user. Doing so can prevent the user from minting himself and other malicious behaviors. The memecoin smart contract is deployed on the chain and enters the second stage, and all users on the platform buy and sell.

Stage 2

Other users on the platform can buy and sell through the platform, but the token after the transaction cannot be transferred to other users through transfer. We can take a look at the source code of the ERC-20 Token on the chain.

In _beforeTokenTransfer, the transfer is restricted through the parameter _mode

At this time, we can see that the corresponding _mode of the token in stage 2 is 1, that is, MODE_TRANSFER_RESTRICTED, which restricts the transfer of money from third parties.

This move is to prevent the impact of OTC on the price. When buying and selling, the four.meme contract restricts transfers to users by first setting _mode to 2 and then using transfer, and after the transfer is completed, _mode to 1 to restrict transfers from other users. To complete the transfer of memecoin after purchase.

Stage 3

When the market value of this memecoin reaches 24 BNB, Bonding Curve Process reaches 100%. Launchpad official will migrate the remaining 20% ​​memecoin and 24 BNB to DEX PancakeSwap. At this point, Phase 3 is officially completed. The following transaction is the transaction that Launchpad officially migrated memecoin to PancakeSwap.

We can see that first, launchpad officially sets the _mode of memecoin to 0, that is, MODE_NORMAL, allowing users to conduct over-the-counter trading. Then, launchpad officially created a trading pair of memecoin and WBNB, and finally added liquidity of 23.5BNB (of which 0.5BNB is feed) and 200 million memecoin to the trading pair. The price to add liquidity is sqrtPriceX96 = 27169599998237907265358521 . Because the calculation formula of sqrtPriceX96 is as follows:

Therefore, the price of this memecoin when adding liquidity is 0.0000001175 WBNB, which can also be obtained by dividing 23.5 WBNB by 200 million memecoin, so the price of each currency moving to DEX is the same. All are 0.0000001175 WBNB.

Attack principle

After understanding the life cycle of the full memecoin in four.meme, let’s take a look at the attack process in detail. First, the attacker created an initialized DEX trading pair in advance. Moreover, setting the sqrtPriceX96 of the transaction pair to 1000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

When the bond cvure process of the memecoin reaches 100%, launchpad uses createAndInitializePoolIfNecessary to create a transaction pair when launchpad migrates the memecoin to DEX. Because the transaction pair has been created and initialized by the attacker before. So liquidity is added according to the price initialized by the attacker at creation. It is equivalent to inexplicably increasing the price of this memecoin.

At this point, the launchpad adds liquidity using 1 memecoin and 23.5 WBNB. Subsequently, the suspected attacker used 1600 memecoin to complete the redemption of 23.4 WBNB in ​​the transaction pair, and the attack ended.

Summarize

The cause of this vulnerability is when the bonding curve process of Four.meme in the inner disk is 100%, and it is migrated to DEX. Create a PancakeSwap transaction pair using createAndInitializePoolIfNecessary. The situation where the transaction pair has been created in advance is not taken into account, because the attacker created and initialized the completed transaction pair in advance, and liquidity is added using the wrong price set by the attacker. This caused the price of the memecoin to soar after the migration, and then the attacker used the memecoin in his hand to hollow out the WBNB in ​​the pool to complete the attack. It is recommended that project parties should verify it from multiple parties when designing economic models and code operation logic, and try to choose multiple audit companies to cross-audit during auditing before the contract is launched.