In October 2022, Team Finance, a crypto token launchpad, was the victim of an attack. The attacker took advantage of a flaw in update code to steal approximately $14.5 million from the protocol.
Inside the Attack
The Team Finance hack occurred during a migration from Uniswap v2 to v3. This migration allowed the transfer of locked LP positions between protocol versions.
The attacker took advantage of flaws in the migrate function of the Liquidity Locks smart contract used for the migration. By locking a token to the contract, the attacker was able to bypass the migrate function’s validation code and perform a liquidity transfer to a new attacker-controlled pair on Uniswap v3. This transfer was performed using a skewed price, enabling the attacker to extract a massive refund as profit.
Lessons Learned From the Attack
The exploited smart contract was included in a security audit by Zokyo Security, and the vulnerable migrate function was examined. However, the vulnerabilities were not discovered although the auditors expressed concern about passing arbitrary addresses to the lockTokens function, which performs external calls.
Smart contract security audits are the best way to identify vulnerabilities in contract code before it is launched on the blockchain. To learn more about securing your smart contracts, reach out to our smart contract auditing experts at halborn@protonmail.com.