Back to all stories
Blogs
Incident Analysis
YOLO Games (Bazaar) Incident Analysis
6/25/2024
YOLO Games (Bazaar) Incident Analysis

Incident summary

On 10 June 2024, YOLO Games announced via their X account that a security vulnerability had been reported on the Bazaar LBP contract. As a consequence the YOLO LBP sale was ended early and users holding rYOLO would be refunded.

YOLO8

The security vulnerability was due to unchecked arguments in the Bazaar LBP smart contract. Anyone was able to withdraw assets from the Bazaar pool using the BazaarLBPFactoryBlast address as a sender address. A whitehat was first to notice the vulnerability which they exploited and rescued 392 ETH (~$1,387,475) and 880,539,680 rYOLO. The amount rescued consisted of 354 ETH added to the pool by the project and approximately 39 ETH of user’s funds.

Exploit Transactions

Attack Flow

  1. On 9 June at 07:27:23 PM 0xaEc7, creator of Bazaar Receipt YOLO (rYOLO), added 354 ETH and 888,888,888 YOLO, swapped for rYOLO, to the BazaarVaultBlast pool (0xefb4). https://blastscan.io/tx/0xa99a60a7cfc316c80b3b6450bd2c10ba87a51bde7262fed4cd27c723b4d70e45

  2. On 10 June, a little over 24 hours later, the whitehat called BazaarVaultBlast.exitPool(), withdrawing 392.3689 ETH and 880,539,680 rYOLO.

YOLO3

  1. Within 3 minutes of the exploit transaction the white indicated to the project to initiate dialogue.

YOLO4

Vulnerability

Exploiter address: 0x3cf5B87726Af770c94494E886d2A69c42A203884 Vulnerable Contract Address: 0xdC4A9779D6084C1ab3e815B67eD5e6780cCF4d90

The root cause of the incident was due to unchecked arguments. The exitPool() function takes four arguments:

  • poolID
  • sender
  • recipient
  • request The whitehat passed in 0xb66585C4E460D49154D50325CE60aDC44bc900E9 (BazaarLBPFactoryBlast) as the sender. As there were no checks to make sure the whitehat is the owner of that address they were allowed to withdraw the tokens in the pool.

YOLO5

Whitehat

Fortunately, this exploit was carried out by a whitehat who immediately reached out to the team. The team responded and immediately offered a bounty. Though negotiations were held in private, we can see on-chain that the whitehat returned 353 ETH (90%) ($1,274,040) of the stolen funds, keeping 10% as a reward.

YOLO6

After the return of funds YOLO confirmed that refunds had been sent to all users who had entered the YOLO LBP sale.

YOLO9

Conclusion

In this exploit, the whitehat has returned a large part of the stolen funds. Since the beginning of 2024, we have observed that out of approximately $1B stolen, around $177,728,142 (about 17%) has been returned. For comparison, that percentage is more than in 2023, where $1.8 billion of funds were stolen with approximately $219 million returned, around 11,81%. To raise your enhance your web3 security knowledge, join Skynet Quest and check out our dedicated article CertiK - Introducing Skynet Quest: The Web3 Security Journey of a Lifetime.