OnChain Transaction Debugging: 4. Write your own POC - MEV Bot

Author: Sun

Write PoC step by step - Take MEV Bot (BNB48) as an example

  • Recap
    • On 20220913 A MEV Bot was exploited by an attacker and all the assets on the contract were transferred away, with a total loss of about $140K.
    • The attacker sends a private transaction through the BNB48 validator node, similar to Flashbot not putting the transaction into the public mempool to avoid being Front-running.
  • Analysis
    • Attacker’s TXID,We can see that the MEV Bot contract was unverify which was not open source,How did the attacker exploit it?
    • Using phalcon to check,from the part of funs flow within this transaction, MEV bot transferred 6 kinds of assets to the attacker’s wallet, How did the attacker exploit it?
      圖片
    • Let’s look at the invocation process of Function call, and see that the pancakeCall function wss called exactly 6 times.
      • From: 0xee286554f8b315f0560a15b6f085ddad616d0601
      • Attacker’s contract: 0x5cb11ce550a2e6c24ebfc8df86c5757b596e69c1
      • MEV Bot contract: 0x64dd59d6c7f09dc05b472ce5cb961b6e10106e1d
        圖片
    • Let’s expand one of the pancakeCall to see, we can see that the callback to the attacker’s contract reads the value of token0() as BSC-USD, and then transfers BSC-USD to the attacker’s wallet, see this While we can know that the attacker may have the permission or use a vulnerability to move all the assets on the MEV Bot contract, the next step we need to find out how the attacker uses it?
      圖片
    • Because it was mentioned earlier that the MEV Bot contract is not open source, so here we can use Lesson 1introduced decompiler tool Dedaub, Let’s analyze and see if we can find something. First copy the bytecodes of the contract from Bscscan and paste to Dedaub to decompile it, As shown in the figure below, we can see that pancakeCall function permission is set to public, and everyone can call it. It is normal and should not be a big problem in the callback of Flash Loan, but you can see the red framed place, execute a 0x10a function, and then let’s look down.
      圖片
    • The logic of 0x10a function is as shown in the figure below. You can see the key point in the red framed place. First read what token is in token0 on the attacker’s contract and then bring it into the transfer function transfer. In the function, the first parameter receiver address address(MEM[varg0.data]) is in pancakeCall varg3 (_data) which can be controlled, so the key vulnerability problem is here.
Cover
  • Looking back at the payload of the attacker calling pancakeCall, the first 32 bytes of the input value in _data is the wallet address of the payee.
Cover
  • Writing POC
    • After analyzing the attack process above, the logic of writing the POC is to call the pancakeCall of the MEV bot contract and then bring in the corresponding parameters. The key is _data to specify the receiving wallet address, and then the contract must have token0, token1 Function to satisfy the contract logic. You can try to write it yourself.
    • Answer: POC.
Cover

Extended learning

  • Foundry trace

    • The function traces of the transaction can also be listed using Foundry, as follows:

    cast run 0xd48758ef48d113b78a09f7b8c7cd663ad79e9965852e872fdfc92234c3e598d2 --quick --rpc-url https://rpc.ankr.com/bsc

Cover

  • Foundry debug

    • You can also use Foundry to debug transaction, as follows:

    cast run 0xd48758ef48d113b78a09f7b8c7cd663ad79e9965852e872fdfc92234c3e598d2 --quick --debug --rpc-url https://rpc.ankr.com/bsc

Cover

Resources

Flashbots: Kings of The Mempool

MEV Markets Part 1: Proof of Work

MEV Markets Part 2: Proof of Stake

MEV Markets Part 3: Payment for Order Flow