SlowMist
@SlowMist_Team
SlowMist is a Blockchain security firm established in 2018, providing services such as security audits, security consultants, red teaming, and more.
๊ฐ์
April 2018
406 ํ๋ก์ ์ค 88.6K ํฌ
๐จSlowMist TI Alert๐จ
๐ธ Loss: ~1,291.16 ETH + ~1,268,771 USDC + ~206,282 USDT + ~16.94 WBTC @trustedvolumes
๐ Root Cause: In fillOrder function (selector 0x4112e1c2) of RFQ Implementation, signature validation checks _allowedSigners[msg.sender][signer] using caller (taker) instead of order's maker as key, allowing registration via registerAllowedOrderSigner for attack contract and execution of forged orders for any maker.
๐ Attacker EOA: 0xc3ebddea4f69df717a8f5c89e7cf20c1c0389100
๐ Victim Contract: 0x9ba0cf1588e1dfa905ec948f7fe5104dd40eda31
๐ Vulnerable Contract: 0x88eb28009351fb414a5746f5d8ca91cdc02760d8
Attacker drained assets from custodial contract with unlimited approvals via 4 forged RFQ orders.
๋ ๋ณด๊ธฐ
