Kong' (@TycheKong)

0x03D8096377Ea7683d840E395d72439F7B6415Abe was exploited. Power by SlowMist AI 👇 Attack Overview Attack Type: Oracle Manipulation (AMM Spot Price Manipulation) + Staking Reward Distribution Logic Flaw (Missing rewardDebt update) + EIP-7702 Account EOA Restriction Bypass Victim Contract: Stake (0x03d8096377ea7683d840e395d72439f7b6415abe) Attacker Address (EIP-7702): 0xc93a5ab3737081f00788b61da42281955d3df692 Helper Accounts (EIP-7702): 0xfd11c78a2ffc9102080f1accfb2c9cd2ce2aceab, 0x9007983c0b1db337e3c0ff29771027b8e2be550b Total Profit: Approximately 209,793 USDT (133,490 USDT secured by 0xef670d9c2e24d1788f39ad35c70f4cc51b4e5898 and 76,303 USDT by 0x972bfaae4093baf00bd5b4db2e11d143adc16f97) Flash Loan Source: Moolah Protocol (0x8f73b65b4caaf64fba2af91cc5d4a2a1318e5d8c), borrowing 1,900,000 USDT Root Cause Analysis Primary Vulnerability — Missing rewardDebt Update During Referral Reward Distribution Contract: Stake (0x03d8096377ea7683d840e395d72439f7b6415abe) Function: _distributeRefPower(address user, uint256 power) Secondary Vulnerability — Price Oracle Utilizing AMM Spot Price Contract: Stake (0x03d8096377ea7683d840e395d72439f7b6415abe) Functions: getPowerAmount(uint256 amount) → getTURPrice() / getNobelPrice() Both price sources rely on getReserves() (AMM spot price), which can be manipulated via flash swaps or large-scale swaps within a single transaction. This allows the attacker to artificially inflate the _power value calculated by getPowerAmount(), thereby magnifying the amount of power distributed to referrers via _distributeRefPower.