CertiK Logo
CertiK Logo
Products
Blogs
Company
incident-response

Products & Technology

Featured Ecosystems

Company

English
Back to all stories
Blogs
Incident Analysis
Sneaky Sandwich Exploit: The BabyDoge Attack Caused 442 BNB Loss
1/8/2024
Sneaky Sandwich Exploit: The BabyDoge Attack Caused 442 BNB Loss

Project name: Baby Doge

Project type: Token

Date of exploit: Jun 21, 2023

Asset loss: 442 BNB

Vulnerability: Sandwich attack

Date of audit report publishing: Nov 16th, 2021

Conclusion: The issue was identified by CertiK but fell outside of the audit scope

Details of the Exploit

Background

BabyDoge coin is a deflationary token that charges fees during token transfers, and a proportion of fees will be added as liquidity to the BabyDoge/BNB pool.

Nature of the Vulnerability

The vulnerability involved a sandwich attack targeting the add liquidity operation, vulnerable to arbitrage if slippage isn't configured. Typically, transfer fees make such attacks unprofitable.

However, BabyDoge's fee exemption for a specific contract lets attackers transfer large Babydoge token amounts fee-free(without paying the tx fee), turning the exploit profitable.

CertiK Audit Overview

Screenshot 2024-01-08 at 5.15.22 AM Screenshot 2024-01-08 at 5.15.22 AM

Conclusion

On Jun 21, 2023, BabyDoge was attacked, leading to a loss of 442 BNB. The attacker made use of a contract that could waive the fee and performed a sandwich attack. The vulnerability lies in a manual operation that excluded a third-party contract from the fee, thus making the sandwich attack exploitable.

Related Stories
Prisma Finance Incident Analysis
Blogs
Incident Analysis
On 28 March, Prisma Finance was exploited by multiple addresses leading to a loss of approximately $12.3 million. Three attackers took advantage of a vulnerability in the Prisma Finance MigrateTroveZap contract which allowed them to manipulate a migration process. Since the exploit occurred, a wallet that received funds from the main exploiter has reached out to the Prisma Finance deployer declaring that their actions were a white hat rescue.
3/29/2024
March's Major Private Key Compromises
Blogs
Incident Analysis
From 12 March to 16 March we have seen nine private key compromises (PKC) that have led to a combined loss of at least $22.96 million in March, with five of those incidents incurring losses over $1 million. These incidents showcase the continued devastation that private key leakages can have on the Web3 ecosystem which has already seen approximately $239 million lost to this type of attack in 2024.
3/22/2024
Concentric.Fi Incident Analysis
Blogs
Incident Analysis
On 22nd January, Concentric.fi was exploited leading to losses of over $1.85 million. The wallets that conducted the attack have been doxxed as the OKX exploiter. Concentric announced on X that their protocol was attacked due to a targeted social engineering attack leading to the compromise of one of their teams admin wallets. From there the attackers were able to upgrade Concentric vault contracts with a malicious implementation leading to losses in liquidity pools as well as users who had approved Concentric contracts.
1/23/2024
CertiK Logo
SOC
© 2024 by CertiK. All Rights Reserved.
Products & Technology
Smart Contract AuditSkynetSecurity ScoreKYCPenetration TestingBug BountyFormal VerificationAdvisory ServicesSkyHarborSkyInsights
Company
AboutVenturesBlogCareersDisclaimerPrivacy PolicyCookie PolicyTerms and ConditionsTrust and Security
Social Media
CertiKSecurity LeaderboardCertiK AlertTelegramYoutube
MediumLinkedIn
Wechat
Discord
MediumLinkedIn
Wechat
Discord
© 2024 by CertiK. All Rights Reserved.
;