SlowMist Says ONTR Token Contract Vulnerability Exploit Caused About $98,315 in Losses
Summary
- SlowMist said an ONTR token contract vulnerability exploit caused losses of about $98,315.
- The firm said the incident exploited an access-control vulnerability in the ONTR token contract and the structure of its 'onlyOwner' modifier.
- The attacker exchanged the minted tokens for WETH in a PancakeSwap liquidity pool, draining assets from a legitimate AMM liquidity pool.
Forecast Trend Report by Period
Blockchain security firm SlowMist said an exploit targeting a vulnerability in the ONTR token contract caused about $98,315 in losses.
On May 29, SlowMist wrote in a post on X that the attack exploited an access-control flaw in the ONTR token contract. The losses totaled 49.4801 WETH, or about $98,315.
SlowMist said the flaw stemmed from the contract's "onlyOwner" modifier. When the owner address was set to the zero address, or address(0), any address could pass the authorization check.
The attacker used the flaw to call the ownership transfer function and set an attacker-controlled contract as the owner. The attacker then added a hidden balance to a queue and executed a specific function to directly inflate an address balance without increasing total supply.
The attacker sent the newly created tokens to a PancakeSwap liquidity pool and exchanged them for WETH. SlowMist described the incident as a case in which an access-control flaw in a token contract was used to arbitrarily increase balances and drain WETH from a legitimate automated market maker, or AMM, liquidity pool.
Minseung Kang
minriver@bloomingbit.ioBlockchain journalist | Writer of Trade Now & Altcoin Now, must-read content for investors.
