According to the Beosin EagleEye security risk monitoring, early warning and blocking platform monitoring of the blockchain security audit company Beosin, on November 29, 2022, the SEAMAN contract was attacked by a vulnerability.
Beosin analysis found that the SEAMAN contract will exchange the SEAMAN token for the voucher token GVC every time the transfer function is performed, and the SEAMAN token and the GVC token are in two trading pairs, so attackers can use this function to affect the The price of one token.
The attacker first converts 500,000 BUSD into GVC tokens. Then the attacker calls the transfer function of the SEAMAN contract and transfers the smallest unit of SEAMAN tokens. At this time, the contract will be triggered to convert the usable SEAMAN tokens into GVC. The process is that the contract converts SEAMAN tokens to BUSD in the BUSD-SEAMAN trading pair, and then converts BUSD to GVC in the BUSD-GVC trading pair. The attacker triggers the _splitlpToken() function by calling the transfer function multiple times, and will Distributing GVC to lpUser will consume the amount of GVC in the BUSD-GVC trading pair, thereby raising the price of GVC in the trading pair.
Finally, the attacker exchanged 507,000 BUSD through the previously exchanged GVC, making a profit of 7781 BUSD. Beosin Trace found that the stolen amount is still in the attacker’s account (0x49fac69c51a303b4597d09c18bc5e7bf38ecf89c), and will continue to pay attention to the direction of the funds.