Attacker drains $1.4 million from CUT token pools via mysterious unverified contract

An attacker drained over $1.4 million worth of Bows Coin Synthetic US Dollar (BSC-USD) from a liquidity pool holding CUT tokens on September 10, according to a report from blockchain security platform Certik. The CUT token contract relied on a separate, unverified contract to set its “future yield” parameter, and this separate contract was used to drain the BSC-USD through an unknown method.

CertiK reported the event on X.

The CUT token that was exploited is located at an address ending in 36a7 on Binance Smart Chain and is separate from the Crypto Unity project which has the same ticker symbol but different address. The pool that was drained was part of Pancakeswap exchange. No other Pancakeswap pools have reportedly been affected by it.

Blockchain data shows that the attacker made four separate transactions draining the pool of BSC-USD. The total amount removed was $1,448,974.

The attacker did not previously make any deposits to the pool and did not own any liquidity provider tokens for it, making it unlikely for the transaction to be a legitimate withdrawal.

Related: Hacker praised after $27M crypto heist from Penpie DeFi protocol

In each transaction, the attacker called a function named “0x7a50b2b8.” But it does not exist in the token contract. According to the report, this implies that the attacker must have called ILPFutureYieldContract(), which allows the user to call a separate function on an entirely different contract whose address ends in 1154. This separate contract is unverified, and BSC Scan shows only unreadable bytecode for it.

Cointelegraph could not find any marketing website or Twitter account promoting CUT, and investors may have confused it with the unrelated Crypto Unity project.

Magazine: 2 auditors miss $27M Penpie flaw, Pythia’s ‘claim rewards’ bug: Crypto-Sec

Exploits are a common way for Web3 users to lose funds. On September 3, over $25 million worth of crypto was lost from an exploit of the Penpie decentralized finance protocol. On August 6, the bridge for the Ronin gaming network was drained of $10 million after an attacker took advantage of a faulty deployment script. In this case, CUT liquidity providers are collectively $1.4 million poorer due to the exploit.