Project name: Baby Doge
Project type: Token
Date of exploit: Jun 21, 2023
Asset loss: 442 BNB
Vulnerability: Sandwich attack
Date of audit report publishing: Nov 16th, 2021
Conclusion: The issue was identified by CertiK but fell outside of the audit scope
BabyDoge coin is a deflationary token that charges fees during token transfers, and a proportion of fees will be added as liquidity to the BabyDoge/BNB pool.
The vulnerability involved a sandwich attack targeting the add liquidity operation, vulnerable to arbitrage if slippage isn't configured. Typically, transfer fees make such attacks unprofitable.
However, BabyDoge's fee exemption for a specific contract lets attackers transfer large Babydoge token amounts fee-free(without paying the tx fee), turning the exploit profitable.
On Jun 21, 2023, BabyDoge was attacked, leading to a loss of 442 BNB. The attacker made use of a contract that could waive the fee and performed a sandwich attack. The vulnerability lies in a manual operation that excluded a third-party contract from the fee, thus making the sandwich attack exploitable.