In February 2023, LianGoPay was the victim of an attack. This pre-planned exploit netted the attacker approximately $1.6 million in stolen tokens.
Inside the Attack
The LianGoPay attack began over a month before the actual exploit. The attacker deployed a fake LP token contract on BNB Chain the same day that LianGoPay created trading pair contracts for WBNB and LGT on Pancake. These trading pair contracts had an address that shared the same first and last four characters as the malicious token contract, making it easy for traders to confuse the two.
In February 2023, the LGTPool administrator deployed one real LP pledge pool and two fake ones (pools 3 and 4). These two fake pools were created using the malicious contract with the lookalike address, making it difficult to differentiate them from real ones.
When the attacker launched their attack, they deposited a massive amount of tokens (614885935211982505426257800000000) into the malicious pool 3. By doing so, they were able to redeem a large value of LGT tokens, which were exchanged for 1.62 million BSC-USD tokens.
Lessons Learned From the Attack
The coordination between the attacker’s actions and those of the LGTPool administrator indicates that the attacker likely had access to the private key of this account. Additionally, this attack was well-planned in advance, with the attacker setting it up nearly a month before the actual exploit. If this attack was made possible by a compromised private key, it demonstrates the importance of a multi-sig wallet for critical blockchain accounts.
For more information about securing your blockchain wallets and smart contracts, contact our Web3 security experts.