Being cool for only three seconds: Analysis of the Four.meme attack

Background

four.meme is a memecoin launchpad incubated by Binance Academy similar to pump.fun.

We detected that memecoin snowboard ( https://four.meme/token/0x4abfd9a204344bd81a276c075ef89412c9fd2f64 ) on the platform was attacked by hackers. The loss was about 15,000 USD. The attack transaction was: https://bscscan.com/tx/0x2902f93a0e0e32893b6d5c907ee7bb5dabc459093efa6dbc6e6ba49f85c27f61

Attack and incident analysis

Four.meme technical principle

four.meme is a memecoin launchpad similar to pump.fun on bnb smartchain. Similar launchpad platforms have three main stages:

• Phase 1: Users create memecoins on the platform by customizing their names, logos, descriptions, social accounts (optional), etc.

• Phase 2: Other users can buy and sell the memecoin on the platform

• Phase 3: When the market value of the memecoin reaches a certain threshold (24 BNB), it will be migrated to DEX (PancakeSwap)

Below, we take a closer look at the specific technical details of each stage.

Phase 1

On the launchpad platform, users fill in the specific information of the memecoin they want to create through the interface.

After filling in the form, pay the handling fee to complete the creation of the memecoin on-chain contract. Of course, this contract is created by the official contract of launchpad, so the owner of the created ERC-20 Token is also the official contract of launchpad. Let's take a look at an example of memecoin creation by four.meme:

First, the user pays the handling fee, the launchpad official contract completes the deployment of the memecoin ERC-20 Token contract, and mints 1,000,000,000 initial funds (the total virtual pool of the memecoin is expected to be 30 BNB).

Then, we see that the owner of the created Token is also the smart contract of the launchpad official website.

This means that although memecoin is created by the user on launchpad, the owner of the ERC-20 contract on the chain is not the user. This can prevent malicious behaviors such as users minting on their own. Once the memecoin smart contract is deployed on the chain, it enters the second stage, and all users on the platform can buy and sell.

Phase 2

Other users on the platform can buy and sell through the platform, but the tokens after buying and selling cannot be transferred to other users through transfer. We can take a look at the source code of the ERC-20 Token on the chain.

In _beforeTokenTransfer, the transfer is restricted by the parameter _mode

At this point, we can see that the _mode corresponding to the Token in phase 2 is 1, which is MODE_TRANSFER_RESTRICTED, restricting third-party transfers.

This is to prevent the influence of OTC on the price. When buying and selling, the four.meme contract sets _mode to 2 first and then uses transfer to transfer to the user. After the transfer is completed, _mode is set to 1 to restrict other users from transferring. To complete the transfer of memecoin after purchase.

Phase 3

When the market value of the memecoin reaches 24 BNB, the Bonding Curve Process reaches 100%. Launchpad will migrate the remaining 20% of memecoin and 24 BNB to DEX PancakeSwap. At this point, Phase 3 is officially completed. The following transaction is the transaction in which Launchpad migrated the memecoin to PancakeSwap.

We can see that first, launchpad officials set the _mode of memecoin to 0, that is, MODE_NORMAL, allowing users to conduct over-the-counter transactions. Then, launchpad officials created a trading pair of memecoin and WBNB, and finally added 23.5BNB (0.5 BNB is the fee) and 200 million memecoin liquidity to the trading pair. The price of adding liquidity is sqrtPriceX96 = 27169599998237907265358521. Because the calculation formula of sqrtPriceX96 is as follows:

Therefore, the price of this memecoin when adding liquidity is 0.0000001175 WBNB, which can also be obtained by dividing 23.5 WBNB by 200 million memecoins, so the price of each coin migrated to DEX is the same. They are all 0.0000001175 WBNB.

Attack Principle

After understanding the entire life cycle of memecoin in four.meme, let’s take a closer look at the attack process. First, the attacker creates an initialized DEX trading pair in advance. And sets the sqrtPriceX96 of the trading pair to 1000000000000000000000000000000000000000000, which is 368058418256012 times larger than the normal value.

When the bond creation process of the memecoin reaches 100%, launchpad uses createAndInitializePoolIfNecessary to create a trading pair when migrating the memecoin to DEX. Since the trading pair has been created and initialized by the attacker before, liquidity is added according to the price initialized by the attacker when it was created. This is equivalent to inexplicably raising the price of the memecoin.

At this point, the launchpad added liquidity using 1 memecoin and 23.5 WBNB. Subsequently, the suspected attacker used 1,600 memecoin to exchange 23.4 WBNB in the trading pair, thus ending the attack.

Summarize

The cause of this vulnerability is that when Four.meme's bonding curve process in the internal disk was 100%, it was migrated to DEX. Use createAndInitializePoolIfNecessary to create a PancakeSwap trading pair. It did not take into account the situation that the trading pair had been created in advance, because the trading pair that the attacker had created and initialized in advance was mistakenly used, and liquidity was added using the wrong price set by the attacker. As a result, the price of the memecoin skyrocketed after the migration, and then the attacker used the memecoin in his hand to empty the WBNB in the pool to complete the attack. It is recommended that the project party should verify multiple parties when designing the economic model and code operation logic, and try to choose multiple audit companies for cross-audit when auditing the contract before going online.