Decoding Melody Vulnerability
TL;DR
On October 25, 2022, Melody was compromised due to a vulnerability in an off chain module, resulting in the loss of approximately 2225 $BNB tokens.
Introduction to Melody
Melody is a play-to-earn web3 entertainment, and social media application covering music creation, karaoke, and more.
Vulnerability Assessment
The root cause of the attack is not the flaw in the smart contracts, but rather a vulnerability involving an off-chain frontend module which allowed the hacker to bypass the access control.
Steps
- First, the hacker invokes the coinWithdraw function of the SGS contract, which is used to redeem the user’s assets from the contract.
2. The ‘to’ parameter is the address that receives tokens, while the signature parameter represents a user’s signature to prove that it is he or she who signed this transaction.
3. The attacker withdraws the tokens from the contract to an address, and then sends a total of 990,000 tokens to the attacker’s address.
4. This operation can only be completed by users who have the valid signature.
5. The contract also has a check function that looks for three parameters: signeraddress, output from hashDataCoin function call, and signature.
6. The signeraddress is a state variable of the contract. This signature was actually the signeraddress when the isValidSignatureNow method was called.
7. The hacker most likely obtained the signeraddress to sign his fraudulent transactions because the front-end was compromised, or the hacker used the signeraddress to generate the signature of the malicious action, transferring $SGS tokens to them.
8. The hackers used PancakeSwap to exchange their 990,000 $SGS tokens for $WBNB.
Aftermath
Following the incident, another attacker address repeated the attack, earning 2,450 $SGS and exchanging proceeds for 560 $WBNB.
The team took the contract to maintenance mode and restarted the withdrawal function after the bug was fixed.
How to prevent such an attack vector
The industry has heard about numerous hacks on a regular basis, therefore affirming the security of modules like the signature services are vital for any project team.
The private key of the wallet should always be kept secure.
Protocol, and Platform Security
Our security team at Neptune Mutual can validate your platform for DNS and web-based security, smart contract reviews, as well as frontend and backend security. We can offer you a solution to scan your platform and safeguard your protocol for known and unknown vulnerabilities that have the potential to have catastrophic long-term effects. Contact us on social media if you are serious about security and have the budget, desire, and feeling of responsibility to do so.
About Us
Neptune Mutual project safeguards the Ethereum community from cyber threats. The protocol uses parametric cover as opposed to discretionary insurance. It has an easy and reliable on-chain claim process. This means that when incidents are confirmed by our community, resolution is fast.
Join us in our mission to cover, protect, and secure on-chain digital assets.
Official Website: https://neptunemutual.com
Blog: https://blog.neptunemutual.com/
Twitter: https://twitter.com/neptunemutual
Reddit: https://www.reddit.com/r/NeptuneMutual
Telegram: https://t.me/neptunemutual
Discord: https://discord.gg/2qMGTtJtnW
YouTube: https://www.youtube.com/c/NeptuneMutual
LinkedIn: https://www.linkedin.com/company/neptune-mutual
