Cause of vulnerability
Recently, according to relevant information provided by industry insiders (as shown in the figure below), there are loopholes in the project contract named KingDefi, and other users are reminded to operate with caution, withdraw funds and cancel authorization. Knowing the Chuangyu Blockchain Security Lab survey found that KingDeFi is a DeFi project, the main functions include BSC, Solana chain DeFi income aggregation analysis, user DeFi income tracking and the project’s native token mortgage mining.
After checking the source code of the KrownMaster contract on the BSC chain (used for mortgage mining staking), it is found that the contract does have logical loopholes, which will affect the user’s profitability, and there are omissions in the corresponding calculation logic. The following is a detailed explanation.
The address on the contract chain is as follows:
https://bscscan.com/address/0x56a65a3736e65349e5b0737cb2c5eb7d5ccbbbe3#code
As shown in the figure below, we noticed that there is a traversal of the investor array during the processing of the project user reward update algorithm logic, where the investor address may be traversed repeatedly and the corresponding reward may be modified.
As shown in the figure below, when the user makes a mortgage through deposit call, it is judged that when the user’s mortgage amount is 0, it can be added to the investment income list as the investor address to obtain mortgage income, and this judgment can be used by hackers.
As shown in the figure below, the hacker can withdraw the amount of mortgage in the specified pid pool by calling the withdraw or withdrawAll function, so that user.amount is 0, and then the address can enter the investor list through the corresponding check when depositing the mortgage again, so as to In the updatePool function, the hacker’s investor address is repeatedly traversed and multiple mortgage rewards are added, which makes the mortgage rewards unevenly distributed and affects the mortgage mining income of other users.
By looking at the project github, it is found that the KingDefi project team has currently modified the issue.
Bug fix
So how does the project team fix the vulnerability? Check the github address of the project (https://github.com/kingdefi/Krown-Contracts/tree/main/Farm) and found that it had updated the code 18 hours ago. Compare the updated code.
It is found that the project party has deleted the array used to store user addresses and changed it to the rewardsPerShare variable, which represents the reward token corresponding to the unit mortgage token; at the same time, the project party has also changed the reward calculation method (updatePool function): Recycle all user addresses to distribute rewards proportionally instead of updating the rewardsPerShare variable to calculate user reward tokens.
Comparing the two reward methods, the latter will no longer cause the former’s problem of double counting rewards. This reward method is similar to sushiswap’s reward calculation method, and it also avoids the former’s problem of excessive gas destruction caused by too many cycles. .
Vulnerability summary
The vulnerability of Kingdefi this time affects the number of reward tokens for users. Attackers can continue to mortgage withdrawals to increase the distribution of their rewards. However, users’ mortgage tokens are not affected in any way and can be correctly and safely withdrawn. Judging from the repair results of the project party, it has changed to a conventional reward calculation method, which conforms to the mortgage mining logic, and users can withdraw mortgage and reward tokens normally and correctly. I would like to remind the majority of project parties that they must do a code audit before launching the Defi mining project. Different calculation methods will greatly increase the risk of making mistakes while attracting new users!
