Summary

On 30 December, 2021 at 09:06 UTC, Sashimi Swap fell victim to a flash loan attack by an unknown actor targeting their UniswapV2Router02. The attacker launched two attacks leading to approximately $210,000 lost. SashimiSwap (contract address 0xe4fe6) is a decentralized trading protocol for multi-chain deployments based on an Automated Market Maker (AMM) and swap pools. The attack was first announced on their Twitter page, and although the project claimed that they had a rehabilitation plan, it appears that there has been no activity on the token nor any of their social media platforms since.

Flashloan attacks have increasingly resulted in major losses for different projects. Since the beginning of the 2022 year, CertiK’s team recorded approximately 100 flash loan attacks resulting in $355,361,784 lost from flash loan attacks. BanklessTimes reported that Q2 2022 registered the highest number of flash loan attacks to date, with 27 attacks resulting in a loss of over $308 million. That represents a 2000% increase from the nearly $14.2 million lost in Q1. Based on these numbers, we can predict that these attacks are likely to increase in the upcoming months and in the new year. In a flash loan attack, an attacker can instantaneously borrow large amounts of money. In the Sashimi Swap case, the attacker borrowed WETH and threaded it through a chain of vulnerable on-chain protocols. Through this process, the threat actor extracted large amounts of assets before paying back the loan and disappearing with the rest of the money.

The Sashimi Swap exploiter’s address 0xa818… was funded by Tornado Cash through multiple transactions. The attacker’s address eventually sent the money that was taken in the attack back to the mixer. Below we will review the attack and explain how the actor was able to exploit the project for approximately $210,000.

Attack Flow

The hacker took a loan of 399.639 WETH through the contract named DVM to prepare for the attack. The DVM address is: https://etherscan.io/address/0x031816fd297228e4fd537c1789d51509247d0b43#code

Attacker taking loan from DVM

2. Three tokens were created to create transaction pairs: Token Address A: 0xf1b43… Token Address B: 0x7a770… Token Address C: 0xbacbd1… The attacker created new swapping pairs: token B/token C, WETH/token C, WETH/token B, WETH/token A.

3. 150 WETH was swapped for 6,261 UNI, which was received by the attacker. The hacker converted the WETH obtained by flash loan into UNI and put it into the wallet via transaction 0xd6a81…

Attacker converting WETH into UNI

4. The attacker then swapped 0xf1b43… for WETH. The swapping path is 0xf1b43f4 (Token A) → WETH → 0x7a77073 (Token B ) → 0xbacbd12 (Token C) → WETH

Swapping Path from token A to token B & C into WETH

5. Because the router contract is connected with a vault contract, when the router does not have enough balance, it withdraws from the vault. In this way, the attacker received a large amount of ETH from the router contract.

Attacker receiving ETH from the router contract

6. The process was repeated twice
7. The attacker proceeded to repay the flashloan from DVM
8. 0xa818 took: 6,261.304 uni, 4,466,096 Sashimi, 63,762 USDT which was sent to Tornado Cash

Contracts Vulnerability Analysis

The vulnerability lies in the following two components of the contract: The most critical bug occurs when calling the swapExactTokensForETHSupportingFeeOnTransferTokens()function, as it always uses the first pair to calculate the balance of the swap and determine how much ETH should be transferred to the caller.

The other issue lies in the protocol design. The Sashimi Router will receive funds and send them to the vault contract. When sending funds to users, the Sashimi router will withdraw funds from the vault and send them to the users. In this case it made the above bug exploitable.

The hacker in this case removed the liquidity from token A and got WETH. The process was repeated another time with token C with the WETH lent by the flashloan.

Attacker removing liquidity foretoken A and C and got WETH

Conclusion

The attacker benefitted from using the loophole in the protocol to attack and borrow assets via flash loans. The attacker took approximately $210,000 and sent that money to Tornado Cash, where it is very hard to trace to its final destination. As mentioned above, flash loan attacks have been increasing in frequency because they're easy to execute with relatively little risk when done correctly. Although the Sashimi Swap team has re-deployed the Sashimi Swap router contract, it appears that there has been no activity from the project since. As we begin the new year, we anticipate that these types of attacks will keep growing and impacting projects. Flashloan attacks can have severe impacts on a project to the point where recovery is nearly impossible. CertiK encourages investors to choose projects that are thoroughly audited and tested in the wild and to #DYOR before investing.