On 26 May 2024, an attacker exploited a vulnerability in the NORMIE contract on Base blockchain, executing a flash loan attack that significantly increased the meme coin’s token supply. This exploit resulted in a 99% drop in the token’s value, causing the market cap to crash from approximately $41 million to around $35k. The attacker gained 224 WETH (~$881,686) of which they offered to return 90%, provided certain stipulations were met.
As of writing the stolen funds are currently in EOA 0xbDfCaA1c260D35a57aE8C333AFff4D8dC6D90899 on Base chain.
Example exploit transaction: https://basescan.org/tx/0xa618933a0e0ffd0b9f4f0835cc94e523d0941032821692c01aa96cd6f80fc3fd
Addresses: Contract Address: 0x7F12d13B34F5F4f0a9449c16Bcd42f0da47AF200 Sushi Pair: 0x24605E0bb933f6EC96E6bBbCEa0be8cC880F6E6f Exploiter Wallet Address: 0xf7f3a556Ac21d081F6dBa961B6A84E52e37A717D
The following attack flow is based on the example transaction listed above:
Next, the attacker flash-loaned 11,333,141 NORMIE tokens and swapped 9,066,513 for 65.97 WETH. This exchange was part of a strategy to manipulate the token supply and consequently, value. Repeated transfers of 2,266,628 NORMIE were made to the pair, followed by a calls to the skim() function to withdraw them.
Since the attack contract was recognized as a premarket_user, the token contract added NORMIE tokens its own address (address(this)).
The vulnerability here is that any address receiving the same number of tokens as the deployer’s balance is added as a premarket_user. Any address in this list triggers a mint of NORMIE tokens to the contract itself.
The Normie contract address ended up with over 650 billion NORMIE tokens despite only having a supply of 1 billion.
Summary
Initial Funding
Post Exploit
With the project agreeing to the conditions via X, which can be seen in the project’s Telegram, the attacker would keep 9.17 ETH left in EOA 0xf7f3a556Ac21d081F6dBa961B6A84E52e37A717D.
As of writing 200 ETH remains in EOA 0xbdfcaa1c260d35a57ae8c333afff4d8dc6d90899 which will likely be returned once the attacker’s conditions are met.
Forking code by copying and adjusting it to your own needs can be an efficient way to get a contract up and running without necessarily requiring an experienced blockchain developer. Though, as we have seen in numerous incidents, forking code also inherits any vulnerabilities that may exist and should always be audited. The NORMIE token attack is a reminder of the importance of security and continuous monitoring of smart contract activities. To see how CertiK can help secure your code visit certik.com/products/smart-contract-audit.