TL;DR
On 29 May 2022, Novo Defi’s token, Novo, was exploited via a flash loan attack. The incident caused a loss of ~278 BNB (or around $83K).
The attacker exploited a vulnerability in their contract’s transferFrom() function and which allowed the attacker to manipulate the token price in the PancakeSwap pair.
Novo Defi relaunched on 21 July 2022 and set about recovering but had another set back on October 11 after they were exploited for ~$16k while making an update to their reward program.
Introduction
Novo Defi is a decentralized and deflationary volume-based cryptocurrency protocol that operates on the Binance Smart Chain. Novo utilises their deflationary NOVO token which provides users with staking rewards.
On 29 May 2022, an attacker exploiter a vulnerability in Novo’s transferFrom() function. The vulnerability allowed the attacker to manipulate the price of NOVO and drain the liquidity pool of 278 BNB via a flash loan.
After a 6 week absence, on 21 July 2022, Novo announced on their Twitter page that they were back with V2 of their contract which was more secure. Unfortunately, during a routine code update an untested function was pushed to mainnet. When this function was called, it opened up an arbitrage opportunity which was exploited by a bot that was monitoring the mempool for such situations. The bot was able to execute a transaction within the same block as Novo calling the untested function and made $16k from the arbitrage trade.
Here we break down the exploit transactions and see how the attackers were able to drain funds worth $83k and $16k respectively, at the time of exploit, from Novo.
Exploit Transactions
May 29, 2022__text in bold__
__October 11, 2022 __
Attack Flow
__May 29, 2022 __
- The attacker started out with a flash loan for 17.2 WBNB which was swapped for NOVO.
2.The attacker then drained the NOVO supply in the PancakeSwap pool, through a vulnerable transferFrom() function, and transferred out 113,951,614 NOVO.
This transaction also triggered _taketreasury() and addLiquidity()
- As the NOVO supply had been significantly reduced in step 2, the attacker was able to swap 4,511,616 tokens for 265 WBNB.
-
The flash loan was completed by repaying the 17.2 WBNB loan leaving the attacker with 248 WBNB
-
The attacker conducted the exploit a second time and gained another 30 BNB after borrowing and repaying 17.2 WBNB
October 11, 2022
- In this transaction Novo called transferClaimFee() which increased the total amount of tokens by a factor of 500. Due to the mechanics of the deflationary token, the tokens on pair also increased by a factor of 500 which opened up an arbitrage opportunity.
- The arbitrage opportunity was detected in the mempool by a bot which triggered a transaction within the same block and gained 61 WBNB (~$16k).
Contracts Vulnerability Analysis
May 29, 2022
In the Novo contract a vital check had been left commented out. The commented out code would have checked that the amount a sender wanted to send did not exceed the allowance. This would have prevented the exploit.
October 11, 2022
In the Novo Discord channel, it was stated that a new function had made it on to the mainnet before it had been tested. The new function that was added to their smart contract was an update to their reward scheme that would allow users to see rewards in real time. When they called the function in a live environment, it opened up an arbitrage opportunity which was taken advantage of.
Profit and Assets Tracing
The attacker took 278 BNB during this incident which was sent to a separate EOA 0x0376 during the flash loan transactions. The attacker then sent all the funds to Tornado Cash, an online mixer which obfuscates transaction tracing.
Conclusion
These 2 incidents involving Novo show just how devastating even smaller exploits can be and the importance of having audited contracts. Particularly with the exploit on 11 October where a bot has been able to detect an arbitrage opportunity. As everyone is able to see transactions in the mempool before they are executed you can be exploited within the same block.
According to Novo’s Discord channel, they are now in the process of deciding the future of the project. This is an example of why a project lifecycle security mindset is necessary at all stages of a projects conception to deployment and beyond. Rigorous testing, before and after a deployment and on test-nets is needed to help reduce failure.
