Root-cause analysis not yet published. The incident description below contains all currently available signal — review the attack transaction directly for definitive forensics.
Reproducible Foundry test fork from SunWeb3Sec/DeFiHackLabs. Clone the repo, run forge test against the file path above, and replay the exploit against a mainnet fork at the historical block. Use for reproduction only — not for live targets.
The GFA token was exploited on the BNB chain, which resulted in a loss of assets worth approximately $15,000. The root cause of the exploit is a lack of access control. The vulnerable contracts had functions for calculating rewards, for which anyone could invoke a call to them. The hacker was able to manually calculate and generate the rewards and drain the tokens. The exploiter has already laundered the stolen assets into Tornado Cash. Attack method (per SlowMist): Contract Vulnerability. Reported loss: $ 15,000.
- chain
- bsc
- protocol
- GFA token
- bug_class
- access-control
- date_occurred
- 2024-04-14
- loss_usd
- $15,000
- source_id
- sm:gfa-token::2024-04-14