Cybersecurity majors PeckShield noticed yet another multi-million-dollar flaw in DeFi contract; community suspects “inside job”
CF, a BSC-based asset of early-stage DeFi protocol “Creat Future,” contains a critical flaw in its design. It allowed a hypothetical insider to move CF tokens from their peers’ balances.
CF token allegedly rugged, $1.9 million lost
According to the announcement shared by Peckshield earlier today, on April 11, 2022, CFToken (CF) of “Creat Future” protocol has a critical bug in its smart contract.
The $CF token contract is fundamentally flawed by allowing anyone to drain others’ $CF balance. So far, the loss is about ~$1.9M and the @pancakeswap $CF – $USDT pair is already affected. https://t.co/1GsF3lrBZ5 pic.twitter.com/49iDHGdzJa
— PeckShield Inc. (@peckshield) April 11, 2022
The creator of the contract made one of its internal elements public. It allowed everyone to drain the wallets of other CF holders. The attack took place at around 6:00 a.m. (UTC).
So far, more than $1.9 million have been moved while the price of CF dropped 90% in almost no time. The token was listed by PancakeSwap (CAKE), the largest DEX on BNB Chain, in pairs with U.S. Dollar Tether (USDT) and Wrapped Binance Coin (WBNB).
DeFi enthusiasts on Twitter are sure that such a critical flaw could not appear in a smart contract by mistake:
Inside job, nothing new. (…) Self-hacked by dev.
Ronin Network hacker continues moving his loot
By press time, all social media accounts of the mysterious protocol are deleted. However, three hours before the exploit was found, automated services had announced the 130% spike in CF/USDT price on PancakeSwap.
Since the start of 2022, dozens of DeFi and GameFi protocols were attacked; aggregated losses might be eleven-digit.
As covered by U.Today previously, Ronin Network, a purpose-made sidechain for Axie Infinity top-notch GameFi ecosystem, was drained for $625 million.
The hackers are actively moving funds to Tornado Cash mixer, PeckShield claims.
Source: https://u.today/beware-this-token-on-pancakeswap-fundamentally-flawed-with-19-million-drained-so-far