An attacker drained over $1.4 million worth of Bows Coin Synthetic US Dollar (BSC-USD) from a liquidity pool holding CUT tokens on Sept. 10, according to a report from blockchain security platform CertiK.
The CUT token contract relied on a separate, unverified contract to set its “future yield” parameter, and this separate contract was used to drain the BSC-USD through an unknown method.
CertiK reported the event on X.
Source: CertiK
The CUT token that was exploited is located at an address ending in 36a7 on BNB Smart Chain and is separate from the Crypto Unity project, which has the same ticker symbol but a different address.
The drained pool was part of the PancakeSwap exchange. No other PancakeSwap pools have reportedly been affected by it.
Blockchain data shows that the attacker made four separate transactions, draining the pool of BSC-USD and removing $1,448,974.
CUT exploit transactions. Source: BscScan
The attacker did not previously make any deposits to the pool and did not own any liquidity provider tokens for it, making it unlikely that the transaction was a legitimate withdrawal.
Related: Hacker praised after $27M crypto heist from Penpie DeFi protocol
In each transaction, the attacker called a function named “0x7a50b2b8.” However, it does not exist in the token contract.
According to the report, this implies that the attacker must have called ILPFutureYieldContract(), which allows the user to call a separate function on an entirely different contract whose address ends in 1154. This separate contract is unverified, and BscScan shows only unreadable bytecode for it.
Separate contract used in CUT exploit. Source: BscScan
Cointelegraph could not find any marketing website or Twitter account promoting CUT, and investors may have confused it with the unrelated Crypto Unity project.
Magazine: 2 auditors miss $27M Penpie flaw, Pythia’s ‘claim rewards’ bug: Crypto-Sec
Exploits are a common way for Web3 users to lose funds. On Sept. 3, over $25 million worth of crypto was lost in an exploit of the Penpie decentralized finance protocol. On Aug. 6, the bridge for the Ronin gaming network was drained of $10 million after an attacker took advantage of a faulty deployment script. In this case, CUT liquidity providers are collectively $1.4 million poorer due to the exploit.