On March 15, 2023, the decentralized finance platform Poolz fell victim to a hack that exploited an arithmetic overflow issue in their token vesting contract. The attack occurred on both the Binance Smart Chain (BSC) and Polygon, resulting in a loss of approximately $390,000.
The vulnerability in the Poolz token vesting contract was due to a classic arithmetic overflow issue. This type of error occurs when the result of an arithmetic operation exceeds the maximum storage capacity of the variable, leading to an unexpected value.
The hacker managed to exploit this issue by manipulating the arithmetic operations, ultimately draining funds from the contract.
The hacker’s total gain from the exploit amounted to roughly $390,000 across both the BSC and Polygon networks. Interestingly, the attacker appeared to be slow at selling the stolen tokens. According to a Telegram message, the exploiter also lost a significant amount (around $127,000) due to slippage, at least in their first transaction. It is typically the case when stolen funds are swapped in a rush with less care on slippage — which becomes the MEV food…
vulnerable code:
function getArraySum(uint256[] calldata _array) internal pure returns(uint256) {
uint256 sum = 0;
for(uint i=0 ; i<_array.length ; i++){
sum = sum + _array[i];
}
return sum;
}