DCF&DCT tokens: The Tragedy of the Forced Investment Incident(2)

Lori
发布于 2024-11-26 17:35
阅读 628

On November 24, 2024, the protocol associated with DCF and DCT tokens was attacked, resulting in a total loss of $440K on the BSC.

# Root Cause

- The DCF token’s transfer mechanism enforces a forced investment. When the DCF token is sent to the the USDT-DCF liquidity pool, 5% of tokens are automatically swapped for USDT within the same pool and then added as liquidity to the USDT-DCT pool. This action triggers a swap in the USDT-DCT pool, which can be manipulated, enabling attackers to execute sandwich attacks for profit.
- Note that in this attack, "forced investment" means forcing the protocol to execute swaps at outrageous prices.

# Attack Steps (based on the [tx](https://app.blocksec.com/explorer/tx/eth/0xaba8b611d53f548f7158f753ef6344084d0514b6c6053080dbfb710134974fb0) )

1. The attacker borrowed approximately 110,355,370 USDT tokens through a flash loan. Using these funds, the attacker executed two swap transactions to manipulate the `PancakeSwap V2: BSC-USD-DCF 12` and `PancakeSwap V2: BSC-USD-DCT 6` pools. The first transaction allowed the DCT liquidity helper to receive a significant amount of USDT during subsequent DCF token transfer processes. The second transaction was executed as a front-run attack. The price difference between the swaps is shown below:
![2.png](https://img.learnblockchain.cn/attachments/2024/11/DfS4oBJM674594b2e87b5.png)
![1.png](https://img.learnblockchain.cn/attachments/2024/11/ydKLp0bF674594b2f083e.png)
1. The attacker transfers DCF tokens to the USDT-DCF pool, triggering a swap that converts 5% of the tokens into USDT. Due to the manipulation, a large amount of USDT is received by the DCT liquidity helper, which it subsequently used to execute a swap on the USDT-DCT pool.
2. The attacker swapped DCT to USDT on the USDT-DCT pools as a back-run attack and made a profit.
![image.png](https://img.learnblockchain.cn/attachments/2024/11/JvdI6A6B6745942caf249.png)

# Ref
https://x.com/Phalcon_xyz/status/1860890801909190664

Root Cause

The DCF token’s transfer mechanism enforces a forced investment. When the DCF token is sent to the the USDT-DCF liquidity pool, 5% of tokens are automatically swapped for USDT within the same pool and then added as liquidity to the USDT-DCT pool. This action triggers a swap in the USDT-DCT pool, which can be manipulated, enabling attackers to execute sandwich attacks for profit.
Note that in this attack, "forced investment" means forcing the protocol to execute swaps at outrageous prices.

Attack Steps (based on the tx )

The attacker borrowed approximately 110,355,370 USDT tokens through a flash loan. Using these funds, the attacker executed two swap transactions to manipulate the PancakeSwap V2: BSC-USD-DCF 12 and PancakeSwap V2: BSC-USD-DCT 6 pools. The first transaction allowed the DCT liquidity helper to receive a significant amount of USDT during subsequent DCF token transfer processes. The second transaction was executed as a front-run attack. The price difference between the swaps is shown below:
The attacker transfers DCF tokens to the USDT-DCF pool, triggering a swap that converts 5% of the tokens into USDT. Due to the manipulation, a large amount of USDT is received by the DCT liquidity helper, which it subsequently used to execute a swap on the USDT-DCT pool.
The attacker swapped DCT to USDT on the USDT-DCT pools as a back-run attack and made a profit.