Hack Anaylsis of [USDC Drain](https://etherscan.io/tx/0xb4e17296635461d2ca5a26a9fa4aaeb24e073e0eb83a2fc6a207c1f97767a1b9)

# Hack Anaylsis of [USDC Drain](https://etherscan.io/tx/0xb4e17296635461d2ca5a26a9fa4aaeb24e073e0eb83a2fc6a207c1f97767a1b9) ## Preliminary Analysis #### EOA's associated: ##### Team Wallets: [CureFarm Deployer](https://etherscan.io/address/0x35de4e910d0b11a3520612c28a250403115a67ec) [Malicious Team wallet: 0x725](https://etherscan.io/address/0x725a1fe791b9081492442518596a2e9e4dc4711b) [Hacker](https://etherscan.io/address/0xa6dc0fe6c94e7f2f34fcc63e05c59707a13942da) [Hacker 2](https://etherscan.io/address/0xa6dc0fe6c94e7f2f34fcc63e05c59707a13942da) #### Third Party Hacker? [3rd party Hacker?](https://etherscan.io/address/0x725a1fe791b9081492442518596a2e9e4dc4711b) - Seems this user figured out they could accidentally drain assets? perhaps a bot? implementation was quickly changed after ![](https://hackmd.io/_uploads/Hyqv8JrUh.png) ![](https://hackmd.io/_uploads/rJSKU1HUh.png) #### Victim [Victim](https://etherscan.io/token/0xa0b86991c6218b36c1d19d4a2e9eb0ce3606eb48?a=0xfad1cb78101cf717cf97663e681eb87291dfcbe2) #### Smart Contracts: [Exploit Contract](https://etherscan.io/address/0x376a2a023a105bc2e19ce19ad275b9bbbcb23e1a) - [Exploit Contract Delegate](https://etherscan.io/address/0xb11ce4677929f8b57b90f08a1319e4d31642b25b) - [Vulnerable Proxy Contract (Farm)](https://etherscan.io/address/0xE51e9bFf39baA85bD74865254D647188e1672612#code) - [Vulnerable Implementation](https://etherscan.io/address/0xb11ce4677929f8b57b90f08a1319e4d31642b25b) - [Vulnerable Changed Implementation (permanent rugpull)](https://etherscan.io/address/0xa6d924feeff579b8af9a03af879b50838671dae6) [CureFarm Migrator]([0xc23bbf214dd89b6d77660d0f6bdbb92c0bbab744](https://etherscan.io/address/0xc23bbf214dd89b6d77660d0f6bdbb92c0bbab744)) [Non Malicious Masterchef before rugpull](https://etherscan.io/address/0x0ee919007d2682f4a64308d6399ae0a34909fcb4#code) #### Transactions - [Victim Approval for uint256 MAX](https://etherscan.io/tx/0x13da85d379fbff322e4ed27bb0bd0605cfb80a202e6dd1d7c45104b3a2f8e09e) - [Victim Approval after being drained. Logged Value: 0](https://etherscan.io/tx/0x13da85d379fbff322e4ed27bb0bd0605cfb80a202e6dd1d7c45104b3a2f8e09e) [Removal from: 0x725a1fe791b9081492442518596a2e9e4dc4711b](https://etherscan.io/tx/0xaf0d0f89d7b12afdfccdb69d1ef5a43b04907aaa4a609688fc1243f33989dbbe) this sets liquidity to zero. [Interacts with hacker](https://etherscan.io/address/0xa6dc0fe6c94e7f2f34fcc63e05c59707a13942da) Rugpull? [Changing](https://etherscan.io/tx/0xad71cfea73c08a57c3c0383fee22fa7f2b29d47f9f6936a195f93e1f8a10d35a) of implementations to [0xb11ce46](https://etherscan.io/address/0xb11ce4677929f8b57b90f08a1319e4d31642b25b). ## What went wrong Victim realized error and started to revoke all USDC approvals ![](https://hackmd.io/_uploads/H17AvANIn.png) However, it is too late and the admin/team was already scamming long before this. The interesting portion is the 3rd party hacker stealing some of the funds, then the team upgrades the contract to have a psuedo "ownership" of the function "`0xe5ee9334`" Example Transactions: [Example of Team stealing Aave USDT](https://etherscan.io/tx/0x683dd3a74ce6a9d30cd5b13c35749ce2c5931b2c144aa3e068bdba86d5018678) ![](https://hackmd.io/_uploads/BJZv41SI3.png) Perhaps Initial thoughts? -> some sort of approval on old vulernabilty contract? perhaps uint256 (2^256 - 1 ) -> upgrade backdoor? -> rugpull? Notes: 0xce5494bb = migrate(address);