Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

The Ocean Life token on BSC was hacked. Ocean Life token is a deflationary token. This means that over time the token will disappear. Why? With less supply comes more demand. For more on Deflationary tokens, read understanding-deflationary-tokens-and-their-benefits.

The balanceOf mapping is normally obvious. With deflationary tokens, this is dynamic and calculated based upon the supply.

How does this removal of assets occur? The function _reflectFee() takes a small fee every time that a call to transfer() is made by sending it to charity and a few other places. The totalSupply() variable _tTotal is subtracted from and some internal accounting tracks the amount of funds now owned by the token.

Control over the totalSupply or balanceOf is generally a bad idea. But why? Many locations calculate the price of a token in a pool based upon the amount of tokens available or the amount of tokens in a pool. By being able to burn() an arbitrary amount of tokens, we can manipulate the price of funds in a pool. Or can we?

The deflationary token developers thought of this problem for AMMs. So, there is a denylist of addresses that are given their true balance instead of the dynamic balance. How did this go wrong then?

The vulnerability in this contract isn't the dynamic supply... the PancakeSwap pool was NOT included in the denylist of addresses. This means that the theorized attack about manipulating the supply of Ocean Life tokens by making them more scarce is possible. This was misreported in a few places like here.

In this attack, the attacker did a few things:

1. Took out a large flash loan to get OLIFE tokens.
2. Swapped with themselves continuously. This was done in order to force a large burn/destruction of tokens.
3. Call sync() on Pancake swap to update the price in the pool.
4. Transfer OLIFE tokens for BNB at the inflated rate to get much more BNB than should be possible.

Overall, a super interesting vulnerability that is simply a configuration problem.