Tsuru $410,000 Exploit | Hack Analysis
Piyush Shukla
???? Lead Smart Contract Auditor | Building @Safe-Edges | Ex-CISO | Top 3 Global Rank on HackenProof | CEX Security Expert | Web3 Security Specialist | Award-Winning Threat Hunter| DA Researcher | #Sway #Solidity #Rust
Background: Tsurushima Tatsumi, a beloved Japanese illustrator, had his art displayed at NFT NYC 2024. A related project recently suffered a significant exploit.
Incident Summary:
- May 10, 11:55 PM UTC: Users couldn't claim $JOURNEY tokens despite approval. The team suspected issues with the TSURU Wrapper contract's mint/burn functions.
- May 10, 12:30 PM UTC: Users found a workaround by directly calling the safeTransferFrom function in the $JOURNEY NFT contract.
- May 10, 1:00 AM UTC: The team identified out-of-gas errors caused by the tokensOfOwner function retrieving too much data. They began replacing it with the tokensOfOwnerIn function.
Exploit: During the fix of out-of-gas errors, an attack occurred where the attacker minted 167,200,000 $TSURU tokens from address 0x7a5eb99c993f4c075c222f9327abc7426cfae386 and swapped them for $137,783 in ETH.
Cause: A code change for fixing gas issues inadvertently enabled the exploit.
Read detailed hack analysis click Here