Resources
People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!
- Tecra (TCR) is some ERC20 token.
- A
burnin ERC20 is the destruction of a token; literally removing it from the total supply. Although this doesn't seem useful at first glance, pools rely on the amount of tokens in a pool to determine the price. The price isn't USD to token. The price is proportional to the pool ratio itself; trade 5 of token A for 2 of Token B. - In ERC20, there is a concept called
allowances. This allows other addresses to spend money on your behalf. The map for this isallowances[OWNER][SPENDER]. The check for burning as another user was written in reverse though:allowances[SPENDER][OWNER]. So, an attacker could burn tokens in an arbitrary account! - The unlimited burn was exploited in a Uniswap pool. By removing the TCR tokens owned by the pool with the unlimited burn vulnerability, the ratio for the AMM got messed up. This resulted in extremely expensive TCR tokens to buy and really cheap of the other token in the pool.
- Step by step, this was exploited as follows:
- Approve a big number of tokens to the uniswap pool. This is crucial, since the
burnFrommessed up the ordering. So, to satisfy the require, we must allow the pool to access our tokens. - Buy 101 TCR tokens from the pool.
- Use the unlimited burn vulnerability remove the TCR tokens from the pool. This will increase the price of TCR drastically.
- Sell back the TCR take make a large profit from the other token in the pool
- Approve a big number of tokens to the uniswap pool. This is crucial, since the
- Overall, a really bad vulnerability that is not uncommon to make. It's interesting this even got through QA testing.
