SharkTeam Analysis of the Principle of BNO Attack Incident

On July 18, 2023 Beijing time, Ocean BNO was attacked by a flash loan attack, and the attacker has profited about $500,000.

SharkTeam conducted a technical analysis of the incident in a timely manner and summarized security measures. It is hoped that future projects can learn from this and build a security defense line in the blockchain industry.

I. Incident Analysis

Attacker address:


Attack contract:


Contract under attack:


Attack transaction:


Attack process:

(1) The attacker (0xa6566574) borrowed 286,449 BNO through LianGuaincakeSwap flash loan.

(2) Then, the stakeNft function of the contract under attack (0xdCA50344) was called to stake two NFTs.

(3) Then, the pledge function of the contract under attack (0xdCA50344) was called to stake 277,856 BNO coins.

(4) The emergencyWithdraw function of the contract under attack (0xdCA50344) was called to withdraw all BNO.

(5) Then, the unstakeNft function of the contract under attack (0xdCA50344) was called to retrieve the two staked NFTs and receive additional BNO tokens.

(6) Repeat the above process to continuously obtain additional BNO tokens.

(7) Finally, after returning the flash loan, all BNO tokens were exchanged for 50.5W BUSD tokens to make a profit and exit.

II. Vulnerability Analysis

The root cause of this attack is that there are problems with the interaction logic between the reward calculation mechanism and the emergency withdrawal function in the contract under attack (0xdCA50344), which allows users to receive an additional reward token after withdrawing the principal.

The contract provides the emergencyWithdraw function for emergency token withdrawal, and it clears the attacker’s total staked amount (allstake) and total debt (rewardDebt), but it does not clear the attacker’s nftAddition variable, which is also calculated based on the allstake variable.

In the unstakeNft function, the current reward for the user is still calculated. In the case where the nftAddition variable is not zeroed, the pendingFit function will still return an additional BNO reward value, resulting in the attacker obtaining extra BNO tokens.

III. Security Recommendations

In response to this attack incident, the following precautions should be followed during the development process:

(1) When calculating rewards, verify whether the user has withdrawn the principal.

(2) Before the project goes live, seek technical assistance from third-party professional audit teams.

Like what you're reading? Subscribe to our top stories.

We will continue to update Gambling Chain; if you have any questions or suggestions, please contact us!

Follow us on Twitter, Facebook, YouTube, and TikTok.


Was this article helpful?

93 out of 132 found this helpful

Gambling Chain Logo
Digital Asset Investment
Real world, Metaverse and Network.
Build Daos that bring Decentralized finance to more and more persons Who love Web3.
Website and other Media Daos

Products used

GC Wallet

Send targeted currencies to the right people at the right time.