On 19 October, the actor behind the exploit of BlackHole (BH) token just last week, continued to evade scrutiny by channelling their ill-gotten gains into Tornado Cash, discreetly depositing a total of 1,500 BNB into the mixing service.
Certik had reported an exploit that transpired within the BH Token ecosystem on 11 October, culminating in an unauthorised actor, identified as 0xFDb, securing approximately $1.2 million in USDT.
This ill-gotten sum was subsequently converted into Binance Coin (BNB) and funnelled into Tornado Cash.
The attack perpetrated against BH Token exemplifies a classic case of a price manipulation attack, a tactic capitalising on the intrinsic nature of on-chain smart contracts.
These exploitations operate on the principle that a smart contract computes the value of a particular token within the blockchain, thereby rendering it vulnerable to manipulation within a singular transaction.
Typically, price manipulation attacks commence with a flash loan, a collateral-free loan that exists solely for the duration of a single blockchain transaction.
These financial instruments empower attackers to distort the perceived value of a token by disrupting the equilibrium of a trading pair.
This distortion, termed “slippage,” may occur organically due to unequal transaction activity on an exchange or be artificially induced by disproportionately adjusting the quantity of one token relative to the other.
In this instance, the attacker set their sights on the BH/USDT trading pair hosted on PancakeSwap.
Here is how it unfolded: the attacker initiated a trade, acquiring BH tokens at a notably lower price by swapping USDT for BH.
This move allowed them to siphon liquidity from the trading pair at a significantly higher valuation.
The attack concluded with the repayment of the flash loan, leaving the remainder as illicit gains.
It is noteworthy that the attacker incurred approximately $4.16 in transaction fees to execute the attack on BNB Chain.
However, the exploitation of price manipulation and created slippage facilitated the extraction of an estimated $1.2 million in USDT, a substantial sum indeed.
As a precaution against detection and asset freezing, the malicious actor promptly shifted their newfound profits into Tornado Cash, a service renowned for obfuscating the transaction’s origin and destination.