On June 06 2022, GYM Network deployed a new function to their smart contract, on June 08 2022, GYM Network was exploited. The exploit caused a loss of around 2,475.91 WBNB (~$716K at time of writing), through a vulnerability in the function. The attacker exploited a lack of authentication in depositFromOtherContract() and was able to create deposit records without actually transferring tokens to the contract.
As it was a new function added to their contracts after our audit had taken place, it was outside of our audit scope. This type of issue would be picked up during a CertiK smart contract audit. It’s important to have ALL your contracts audited and ecosystem pen-tested to prevent incidents like this.
GYM NETWORK is a DeFi Aggregator Investment System combining the best yields with high rewards for its users. Thus providing easy access and saving you a lot of precious time.
The project is owned by the users. Each user has voting power in the measure of your GYMNET token holdings. Once 75% of GYMNET tokens have been distributed, owning GYMNET means a user will be able to propose new “Exercise Routines” (proposals to improve the system) and vote on the routines proposed by others.
In the _autoDeposit function of GYM Network’s smart contract, there is no transfer function to transfer a users deposit to the contract This means a user can call the ‘deposit’ and ‘create deposit record’ functions without actually transferring tokens.
Through this, the attacker repeatedly ‘deposits’ 8,000,000 GYMNET tokens without depositing anything. They then withdraw the 8,000,000 tokens. In total the attacker obtains 2,475.91 WBNB.
GYM Network have already fixed the exploit by adding a ‘onlyBank’ modifier to their ‘depositFromOtherContract’ function. This means that only the bank address can now call this function. In addition to the fix they will also be using their treasury to recover the token price as much as possible after the exploit.
There are multiple transactions involved as the attacker repeated steps to deposit and withdraw. Here are some examples:
The attacker creates multiple contracts which they call to perform steps 1-3 multiple times.
The attacker calls depositFromOtherContract() with the deposit amount set to 8,000,000 GYMNET, but they did not transfer any tokens to the contract as there is no transfer function.
The attacker calls withdraw() to withdraw 8,000,000 GYM tokens.
The attacker swaps GYMNET tokens to BNB and sends them to this address https://bscscan.com/address/0xb2c035eee03b821cbe78644e5da8b8eaa711d2e5.
GYMNET single pool
In the ‘_autoDeposit’ function, there is no transfer function to transfer a user’s deposit to the contract, so a user can call ‘deposit’ and ‘create deposit record’ without actually transferring tokens.
GYMNET have updated their contract since the exploit
The ‘depositFromOtherContract’ function added a
modifier, so that only the bank address can call this function.
Profit and assets tracing The attacker gained 2,475.91 BNB and used tornado cash to transfer the asset to other addresses.
This type of issue would be spotted during CertiK’s smart contract audits. This particular contract had only been deployed for 2 days before it was exploited so wasn’t part of the audit that we had already performed for GYM Network.