这个 DEFI 项目运行了大约一个月,然后 24 小时前他们设法以某种方式将提款直接转移到他们的 devaddress 中。智能合约看起来正常,提现功能+参数看起来还可以。
交易示例 1(诈骗前 - 资金流向调用者地址): https ://bscscan.com/tx/0xe51cc0958f66966ce2f6d9aab659a418aa949adb7b9cb82207f7041c543fa0ec
交易示例 2(诈骗 - 资金流向 devaddress): https ://bscscan.com/tx/0x19d62e850b39dd45bf101b536ab01797f79854c8914966b5856ac7804da4a8e9
那么他们是如何做到这一点的呢?
// Withdraw LP tokens from MasterChef.
function withdraw(uint256 _pid, uint256 _amount) public {
PoolInfo storage pool = poolInfo[_pid];
UserInfo storage user = userInfo[_pid][msg.sender];
require(user.amount >= _amount, "withdraw: not good");
updatePool(_pid);
uint256 pending = user.amount.mul(pool.accSushiPerShare).div(1e12).sub(user.rewardDebt);
if(pending > 0) {
safeSushiTransfer(msg.sender, pending);
}
if(_amount > 0) {
user.amount = user.amount.sub(_amount);
// pid0 token, pid1 pair 0% fee, other token 5% fee
uint256 buybackAmount = _amount.mul(50).div(1000);
// transfer to treasury contract and buyback token.
if (_pid > 1 && buybackAmount > 0) {
pool.lpToken.safeTransfer(devaddr, buybackAmount);
_amount = _amount.sub(buybackAmount);
}
pool.lpToken.safeTransfer(address(msg.sender), _amount);
}
user.rewardDebt = user.amount.mul(pool.accSushiPerShare).div(1e12);
emit Withdraw(msg.sender, _pid, _amount);
}