SlowMist (@SlowMist_Team) “🚨SlowMist TI Alert🚨 💸 Loss: ~1,291.16 ETH + ~1,268,771 USDC + ~206,282 USDT +” — TopicDigg
SlowMist
@SlowMist_Team
SlowMist is a Blockchain security firm established in 2018, providing services such as security audits, security consultants, red teaming, and more.
加入 April 2018
405 正在关注 88.5K 粉丝
🚨SlowMist TI Alert🚨
💸 Loss: ~1,291.16 ETH + ~1,268,771 USDC + ~206,282 USDT + ~16.94 WBTC @trustedvolumes
🔍 Root Cause: In fillOrder function (selector 0x4112e1c2) of RFQ Implementation, signature validation checks _allowedSigners[msg.sender][signer] using caller (taker) instead of order's maker as key, allowing registration via registerAllowedOrderSigner for attack contract and execution of forged orders for any maker.
📌 Attacker EOA: 0xc3ebddea4f69df717a8f5c89e7cf20c1c0389100
📌 Victim Contract: 0x9ba0cf1588e1dfa905ec948f7fe5104dd40eda31
📌 Vulnerable Contract: 0x88eb28009351fb414a5746f5d8ca91cdc02760d8
Attacker drained assets from custodial contract with unlimited approvals via 4 forged RFQ orders.
显示更多
