MEV Contract Exploited in AnyswapV4Router for $130,000 Theft
It is reported that, according to the monitoring of the Beosin EagleEye security risk monitoring, warning and blocking platform of Beosin, a blockchain securit…
It is reported that, according to the monitoring of the Beosin EagleEye security risk monitoring, warning and blocking platform of Beosin, a blockchain security audit company, on February 15, 2023, an attacker used the MEV contract (0xd050) to preemptively call the anySwapOutUnderlyingWithPermit function of the AnyswapV4Router contract before the normal transaction execution (the user authorized the WETH but has not yet transferred the account) for signature authorization transfer, Although the function uses the permit signature verification of the token, the stolen WETH has no relevant signature verification function, and only triggers the deposit function in the fallback. In subsequent function calls, attackers can directly use the safeTransferFrom function to_ The underlying address is authorized to the WETH of the attacked contract and transferred to the attack contract. The attacker made a profit of about 87 Ethereum, about $130000. Beosin Trace tracked and found that about 70 Ethereum stolen funds had entered the address 0x690b, and about 17 Ethereum remained in the MEVBOT contract.
Security team: Multichain’s Anyswap V4 Router contract suffered a preemptive attack, and the attacker made about $130000
Interpretation of the news:
According to the Beosin EagleEye security risk monitoring platform, an attacker was able to exploit the MEV contract in the AnyswapV4Router for a $130,000 theft. The attack occurred on February 15, 2023, where the attacker preemptively called the anySwapOutUnderlyingWithPermit function before the user authorized the WETH account transfer. Although the function uses permit signature verification, the stolen WETH had no relevant signature verification function, allowing the attacker to transfer the WETH to the attack contract.
The MEV contract or Maximal Extractable Value contract is a type of smart contract used in Ethereum to capture profits from different exchanges. It enables miners to prioritize transactions to get the highest returns by reordering transactions based on profitability. However, attackers can also use MEV contracts to exploit vulnerabilities and gain unauthorized access to funds.
In this case, the attacker was able to exploit the AnyswapV4Router contract by calling a function before the user authorized the WETH transfer. The attacker was able to trigger the deposit function in the fallback, allowing them to directly use the safeTransferFrom function. They were able to access the WETH of the attacked contract and transfer it to the attack contract, resulting in a profit of about 87 Ethereum or around $130,000.
Beosin Trace, a blockchain security audit company, was able to track and find about 70 Ethereum stolen funds, which had entered the address 0x690b. However, about 17 Ethereum remained in the MEVBOT contract.
This incident highlights the importance of blockchain security and ongoing monitoring of smart contract vulnerabilities. It also emphasizes the need for continuous updates and patches to address any potential issues that could be exploited by attackers. Companies that create smart contracts and blockchain-enabled platforms should prioritize security and implement thorough testing and analysis before launching new products or features.
In conclusion, the MEV contract exploitation in AnyswapV4Router resulted in a significant theft of $130,000 in Ethereum funds. Blockchain security experts must remain vigilant in monitoring any identified vulnerabilities and developing effective safeguards to protect user assets. Companies must also prioritize the security of their platforms and products to prevent such incidents from occurring in the future.
This article and pictures are from the Internet and do not represent qiAiAi's position. If you infringe, please contact us to delete:https://www.qiaiai.com/ai/551.html
It is strongly recommended that you study, review, analyze and verify the content independently, use the relevant data and content carefully, and bear all risks arising therefrom.
Related recommendations
-
Exploring the Future of Cryptocurrency-based Technologies and El Salvador’s Involvement
21:00-7:00 Key words: Rocket Pool, BAKC, Polygon Labs, El Salvador
Overview of important developments overnight on February 19
Interpretation of t…
-
Elon Musk Admits Pressure From the Court Led to Twitter Acquisition
On April 12th, Twitter CEO Elon Musk admitted in an interview with BBC journalist James Clayton that the final decision to acquire Twitter was under pressure from the court, and he
-
Israeli Prime Minister Netanyahu considers assistance for Israeli companies amidst potential impact from Silicon Valley bank collapse
According to reports, Israeli Prime Minister Benjamin Netanyahu said that the government would assess the impact of the collapse of Silicon Valley banks on Israeli companies and decide whether to provide them with assistance, mainly in terms of cash flow. (Washington Post) Israeli Prime Minister: The government will assess the impact of the collapse of Silicon Valley banks on Israeli companies and decide whether to provide assistance Analysis based on this information:The recent collapse of Silicon Valley banks has raised concerns for Israeli companies, prompting Israeli Prime Minister Benjamin Netanyahu to consider assistance in terms of cash flow. According to reports from the Washington Post, the Israeli government intends to evaluate the impact of Silicon Valley bank collapse on its companies before deciding on the appropriate measures to take. This announcement comes as a response to reports that many Israeli companies have experienced difficulties in securing funds from overseas investors due to the financial crisis brought about by the collapse…
-
AML in the United States has changed the definition in BSA to include artifacts, artworks, and cryptocurrencies
According to reports, the US legislative body recently enacted the National Defense Authorization Act (NDAA). There is a series of regulations called the Anti Money Laundering Law
-
Binance Resumes Trading: All You Need To Know
On March 24th, according to the official announcement, Binance will resume trading at 22:00 on March 24th. Users can now perform operations such as canceling orders, recharging, C2
-
US Treasury Secretary Yellen Monitoring Multiple Banks Following Silicon Valley Incident
According to reports, US Treasury Secretary Yellen said that the Ministry of Finance was monitoring several banks due to the bank incident in Silicon Valley.
Ye -
US Regulators Consider Holding Securities of Two Banks Below Purchase Price
According to reports, US regulators are considering holding securities under the names of Signature Bank and Silicon Valley Bank that have fallen below their purchase price, a move that will remove one of the possible obstacles to selling these two banks. According to people familiar with the matter, this is a routine practice after the Federal Deposit Insurance Corporation (FDIC) took over the bank, mainly facilitating the conclusion of acquisition transactions. Because if it involves assets with declining value, it will be more difficult to sell the relevant banks. People familiar with the matter said that the relevant asset size of Signature may be between $20 billion and $50 billion, and that of Silicon Valley banks may be between $60 billion and $120 billion. Both Silicon Valley banks and Signature have invested in bonds at low interest rates, and the value of these bonds has plummeted as the Federal Reserve has raised interest rates several times over the past year…
-
3RM Completes $3.5 Million Financing for Web3 Customer Relationship Management
It is reported that 3RM, a technology start-up, has completed a US $3.5 million financing, which will be used to build tools to help web3 better manage its rel…
-
Coinbase accepts cancellation requests for Shanghai Capella’s shift to Ethereum network
On March 16th, Coinbase stated in a blog post that within 24 hours after Shanghai Capella (Shapella) was upgraded to the Ethereum network, Coinbase would begin accepting requests for cancellation of pledges. Coinbase pointed out, “The process of canceling the pledge is controlled by the Ethereum agreement, and we are only a channel. Therefore, it is unclear how long it will take to cancel the pledge.” Coinbase will accept the request for pledge ETH withdrawal after the upgrade of Ethereum Shapella, and U.S. users may need to pay taxes Analysis based on this information:Coinbase announced on March 16th through a blog post that they would begin accepting cancellation requests for pledges within 24 hours after the upgrade of Shanghai Capella (Shapella) to the Ethereum network. However, they highlighted that the speed of the cancellation process would be determined by the Ethereum protocol, and they were merely a conduit to facilitate the pledges’ cancellation. Shapella is an innovative decentralized autonomous organization…
-
Binance Delisting News: All You Need to Know about GMT/BUSD, NEAR/USD, and AVAX/USD U-Standard Perpetual Contracts
On April 14th, it was reported that the Binance contract will automatically clear the U-standard perpetual contracts of GMT/BUSD, NEAR/USD, and AVAX/USD at 17:00 on April 18th, and