Back to all stories
Blogs
Incident Analysis
Normie Incident Analysis
5/26/2024
Normie Incident Analysis

Incident Summary

On 26 May 2024, an attacker exploited a vulnerability in the NORMIE contract on Base blockchain, executing a flash loan attack that significantly increased the meme coin’s token supply. This exploit resulted in a 99% drop in the token’s value, causing the market cap to crash from approximately $41 million to around $35k. The attacker gained 224 WETH (~$881,686) of which they offered to return 90%, provided certain stipulations were met.

Normie 1

As of writing the stolen funds are currently in EOA 0xbDfCaA1c260D35a57aE8C333AFff4D8dC6D90899 on Base chain.

Exploit Transactions

Example exploit transaction: https://basescan.org/tx/0xa618933a0e0ffd0b9f4f0835cc94e523d0941032821692c01aa96cd6f80fc3fd

Addresses: Contract Address: 0x7F12d13B34F5F4f0a9449c16Bcd42f0da47AF200 Sushi Pair: 0x24605E0bb933f6EC96E6bBbCEa0be8cC880F6E6f Exploiter Wallet Address: 0xf7f3a556Ac21d081F6dBa961B6A84E52e37A717D

Attack Flow

The following attack flow is based on the example transaction listed above:

  1. The attacker began by swapping 171,955 NORMIE tokens for 2 WETH. Later, they swapped 5 million NORMIE. This amount corresponded with the balance of the deployer account. By swapping an amount of tokens equal to the balance of the deployer, the address of the attack contract was added to the _premarket_user list, which enabled further manipulation.

Normie 2

  1. Next, the attacker flash-loaned 11,333,141 NORMIE tokens and swapped 9,066,513 for 65.97 WETH. This exchange was part of a strategy to manipulate the token supply and consequently, value. Repeated transfers of 2,266,628 NORMIE were made to the pair, followed by a calls to the skim() function to withdraw them.

  2. Since the attack contract was recognized as a premarket_user, the token contract added NORMIE tokens its own address (address(this)).

Normie 3

  1. When the balance exceeds a threshold, the swapAndLiquify mechanism is triggered to sell 4.65 million newly minted NORMIE each time.

Normie 4

  1. Finally, the attacker swapped 0.5 WETH for approximately 11,040,494 NORMIE at a lower price, which enable them to repay the flash loan of NORMIE tokens.

Vulnerability

The vulnerability here is that any address receiving the same number of tokens as the deployer’s balance is added as a premarket_user. Any address in this list triggers a mint of NORMIE tokens to the contract itself.

Normie 2

The Normie contract address ended up with over 650 billion NORMIE tokens despite only having a supply of 1 billion.

Normie 5

Profit and Assets Tracing

Summary

  • Attacker gained 224.98 ETH (~$881,686)

Initial Funding

  1. The exploiter’s initial funding came from a Secret Network wallet secret1d2v7cr8alk3wxy74a95vp9et4t0apy5cg5s4t5. From this wallet 1,000 SCRT (~$405) was bridged to Arbitrum via Osmosis/SquidRouter.

Normie 6

  1. A few minutes later, a further 8,000 axUSDC was bridged to Arbitrum via Axelar Bridge.

Normie 7

  1. Once on Arbitrum, the axUSDC was swapped for WETH and bridged to Base via Across Protocol.

Normie 8

Post Exploit

  1. After the incident, the exploiter moved 200 ETH to EOA 0xbdfcaa1c260d35a57ae8c333afff4d8dc6d90899.

Normie 9

  1. The exploiter later sent a message to the Normie deployer stating that they were willing to return 90% of the funds, likely the 200 ETH, if they were willing to combine that with an additional 600 ETH in the project’s developer wallet (0xd8056B0F8AA2126a8DB6f0B3109Fe9127617bEb2) and launch a new token that reimburses NORMIE holders.

Normie 10

  1. With the project agreeing to the conditions via X, which can be seen in the project’s Telegram, the attacker would keep 9.17 ETH left in EOA 0xf7f3a556Ac21d081F6dBa961B6A84E52e37A717D.

  2. As of writing 200 ETH remains in EOA 0xbdfcaa1c260d35a57ae8c333afff4d8dc6d90899 which will likely be returned once the attacker’s conditions are met.

Conclusion

Forking code by copying and adjusting it to your own needs can be an efficient way to get a contract up and running without necessarily requiring an experienced blockchain developer. Though, as we have seen in numerous incidents, forking code also inherits any vulnerabilities that may exist and should always be audited. The NORMIE token attack is a reminder of the importance of security and continuous monitoring of smart contract activities. To see how CertiK can help secure your code visit certik.com/products/smart-contract-audit.