Unverified Contract Account Drains $1.4M from CUT Token Pools

On September 10, blockchain security platform Certik reported an attacker drained over $1.4M worth of Bows Coin Synthetic US Dollar (BSC-USD) from a liquidity pool that held CUT tokens

The CUT token contract depended on a distinct, unverified contract to establish its “future yield” parameter. This contract was utilized to drain the BSC-USD using an unknown method.

CertiK reported the event on X.

#CertiKInsight 🚨

We have seen a flashloan exploit involving CUT token

BSC: 0x7057F3b0F4D0649B428F0D8378A8a0E7D21d36a7

The CUT contract uses ILPFutureYieldContract(_lpFutureYieldContractAddress) at 0x0917914b0A70ee7F1f2460Fcd487696856E31154 which is unverified and contains… pic.twitter.com/ycE4Px3Nxy
— CertiK Alert (@CertiKAlert) September 10, 2024

Located at an address ending in 36a7 on the Binance Smart Chain, the CUT token that was exploited is distinct from the Crypto Unity project, which shares the same ticker symbol but a different address.

Drainage of the pool was a component of the Pancakeswap exchange. It is not believed to have impacted any other Pancakeswap pools.

According to blockchain data, the perpetrator conducted four distinct transactions that drained the BSC-USD pool. The total quantity that was removed was $1,448,974.

*CUT exploit transactions. Source: BSCScan.*

The transaction is unlikely to be a legitimate withdrawal, as the perpetrator did not own any liquidity provider tokens for the pool and had not made any deposits.

Within each transaction, the perpetrator invoked a function known as “0x7a50b2b8.” However, it is absent from the token contract.

According to the report, the attacker must have invoked ILPFutureYieldContract(), which enables the user to call a distinct function on an entirely different contract whose address terminates in 1154. The BSC Scan does not display any readable bytecode for this particular contract, as it is unverified.

*Separate contract used in CUT exploit. Source: BSCSCan.*

Cointelegraph could not locate any marketing website or Twitter account promoting CUT. Investors may have mistakenly named it the unrelated Crypto Unity project.

Exploits are a prevalent method for Web3 users to incur losses. An exploit of the Penpie decentralized finance protocol resulted in the loss of more than $25 million in cryptocurrency on September 3.

An attacker exploited a defective deployment script to siphon $10 million from the Ronin gaming network’s bridge on August 6. In this instance, the exploit has resulted in a collective loss of $1.4 million for CUT liquidity providers.