Smart contract exploit in TIME token leads to $188k loss

According to CertiK, the TIME token was exploited recently, resulting in a loss of approximately $188k.

The attack began with the exploiter converting 5 ETH to Wrapped Ether (WETH), and then trading this for over 3.4 billion TIME tokens.

CertiK analysts reported that the exploit’s root cause was the manipulation of the Forwarder contract, which is designed to execute transactions from any address. The attacker crafted a request with a falsified sender address, which they controlled, and a matching signature. This deceptive req passed the Forwarder contract’s verification process.

#CertiKSkynetAlert ?

TIME Token was exploited for ~$188k due to a recently disclosed vulnerability around ERC2771 and Multicall

See our in-depth analysis on the TIME exploit belowhttps://t.co/NF8UPcRPfQ https://t.co/MGDnmFd56d

— CertiK Alert (@CertiKAlert) December 8, 2023

The attacker leveraged a parsing error, where the TIME contract was deceived into recognizing an attacker-controlled address as legitimate. As a result, the TIME contract erroneously burned a massive amount of tokens from the target pool controlled by the attacker, rather than the intended address.

You might also like: KyberSwap hacker moves $338k into Tornado Cash

The attacker burned over 62 billion TIME tokens, leading to a drastic reduction in the token pool. The tokens were then exchanged for a substantial amount of WETH, eventually converting these back to ETH, including a portion used for a bribe in the process.

This incident highlights the underlying vulnerabilities in smart contracts, where even a minor error can lead to substantial financial losses.

Read more: Kronos Research negotiates with hacker over $26m theft