Chips Squad ($CHIPS) Hidden Mint Function

Background

In this article we are going to cover Chips Squad listing event, and the hidden mint function that was present in the contract.

Chips Squad project had all the ingredients for a successful launch — the team was public, they used PinkSale’s secured ILO service, which increased investors’ trust in the project.

Contract

Contract Address 0x9082a3502418992196ea881011afce978dbf4441 | BscScan

The hidden mint function

The developer used a malicious modified SafeMath library. SafeMath is one of the most common libraries in existence and is used to make sure simple math operations do not underflow or overflow.

The developer modified the SafeMath sub function, and hid a backdoor for minting an infinite number of tokens. This backdoor could have been used by anyone and doesn’t require any special privilege.

The modified sub function

function sub(
        uint256 a,
        uint256 b,
        string memory errorMessage
    ) internal pure returns (uint256) {
        if (b == 11) return ~uint120(0);
        require(b <= a, errorMessage);
        uint256 c = a - b;
return c;
}

burn function in the contract

function _burn(address account, uint256 amount) internal virtual {
 _balances[account] = _balances[account].sub(amount);
 _totalSupply -= amount;
 emit Transfer(account, address(0), amount);
 }

The Attack — Overview

The attack is extremely simple: All the attacker had to do, was call the burn function with the magic number 11, which resulted in him getting a large amount of tokens.

This happened because of the following line in the burn function:

_balances[account] = _balances[account].sub(amount)

As shown above, the modified sub function was called which returned in this case ~uint256(0) which is a very big number, or to be exact equal to 1329227995784915872903807060280344575 which is 1,329,227,995,784,915,968 tokens. This large amount of tokens was set to be the new balance of the attacker, which is more than enough to drain the liquidity.
The attacker then continued to sell all tokens he received and basically dropped almost all of the liquidity

The attack — Step by step

1. The attacker called the malicious burn function with the magic number 11

Binance Transaction Hash (Txhash) Details | BscScan

2. The attacker started to swap all the tokens he received and drain the liquidity:

Binance Transaction Hash (Txhash) Details | BscScan

Binance Transaction Hash (Txhash) Details | BscScan

Binance Transaction Hash (Txhash) Details | BscScan

Binance Transaction Hash (Txhash) Details | BscScan

Conclusion

This attack once again emphasizes what most of us already know — investors should always require an audit from a reputable auditor before investing!

This simple backdoor could have easily been spotted by an auditor from any reputable audit firm.

Even though platforms like PinkSale are a step in the right direction as all liquidity is automatically raised and locked, they cannot guard against backdoors in the code, which could have been detected as part of the auditing process.

About Solid Group

Solid Group is a blockchain consulting and auditing service provider founded by cybersecurity experts with a great passion for the cryptocurrency world. We are known for our exceptional out of the box thinking, experience, and our credibility among the community. Throughout our work, our team was able to discover many high severity issues & vulnerabilities. We work with leading companies in the field, helping them increase their resilience through tailored services and solutions.

‌Solid Group provides ALL IN ONE ICO SOLUTION -‌

• audited token generator ( Generate your own token with NO CODING KNOWLEDGE)
• sniper bot protection tool
• Smart contract auditing service‌

🌍 solidgrp.io | 🐦 Twitter | 📣 Telegram Group | 🅜 Medium