QUADRIGA INITIATIVE
CRYPTO WATCHDOG & FRAUD RECOVERY PLATFORM
A COMMUNITY-BASED, NOT-FOR-PROFIT
$1 400 000 USD
SEPTEMBER 2024
GLOBAL
CATERPILLAR TOKEN
DESCRIPTION OF EVENTS
Caterpillar Token (CUT) runs through a smart contract on the Binance Smart Chain, which was first launched in July 2024.
"Caterpillar Coin suffered a flashloan attack resulting in a loss of ~$1.4M and causing a 99% slippage on the token. The attack exploited vulnerabilities in the "price protection mechanisms", which led to the manipulation of token reserves and rewards."
"The attack appears to have followed a straightforward pattern: the attacker used a flash loan to borrow USDT from the USDT-WBNB pair, then ran a loop to create several contracts with the main attack logic running in the constructor. Before creating each contract, the exploiter transferred a large amount of USDT for the logic in the constructor to utilize."
"1. The attacker took out a 4.5 million USDT flashloan, swapped some for $CUT tokens, and added liquidity to the USDT-CUT pool. 2. Due to a flaw in the reward calculation process, the attacker was able to manipulate the token's reserves, significantly increasing their rewards. 3. By repeating this process, the attacker drained the liquidity pool, repaid the loan, and walked away with around $1.4M USD in profits."
The calculation is vulnerable to price manipulation and the exploiter abused this in order to gain extra $CUT tokens, sold them and gained ~$1.4m from the BUSD-CUT pancake pair.
The calculation is vulnerable to price manipulation and the exploiter abused this in order to gain extra $CUT tokens, sold them and gained ~$1.4m from the BUSD-CUT pancake pair.
Caterpillar Token (CUT) runs through a smart contract on the Binance Smart Chain, which was first launched in July 2024. The project does not appear to have a website or other online presence. There is an account referenced for CUT2024CUT, however there is no evidence that this Twitter account ever existed. On September 10th, the smart contract was exploited via a Flash loan, allowing the exploiter to profit by a total of $1.4m USD. There is no evidence of any team response, investigation, or attempt to recover funds.
BNB Smart Chain Transaction Hash (Txhash) Details | BscScan
(Oct 16)
https://www.thestreet.com/crypto/innovation/technical-weaknesses-in-smart-contracts-merit-targeted-security-solutions- (Oct 16)
CoinStats - Crypto hacks explode 8x in just one month—$11... (Oct 16)
https://www.cryptopolitan.com/crypto-hacks-rise-116m-stolen-in-september/ (Oct 16)
Crypto Hacks Surge in September 2024: Over $120 Million Lost (Oct 16)
Coinpedia Fintech News: Guest Post by CoinPedia News | CoinMarketCap (Oct 16)
Crypto Hack Weekly Report: Indodax Heist, Caterpillar Coin Collapse, and Apple's Deepfake Incident (Oct 16)
Over 20 Crypto Hacks in September 2024: Here’s How Much Was Stolen: Guest Post by CryptoPotato_News | CoinMarketCap (Oct 16)
BEP20USDT | Address 0x7057f3b0f4d0649b428f0d8378a8a0e7d21d36a7 | BscScan
(Oct 16)
https://dexscreener.com/bsc/0x83681f67069a154815a0c6c2c97e2daca6ed3249 (Oct 16)
CUT/USDT - CUT Price on Pancakeswap V2 (BSC) | GeckoTerminal (Oct 16)
CUT/USDT Real-time On-chain PancakeSwap v2 (BSC) DEX Data (Oct 16)
Cut Incident - Price Manipulation - by lifebow - Verichains (Oct 16)
@CertiK_CN Twitter (Oct 16)
@TenArmorAlert Twitter (Oct 16)
@0xCommitAudits Twitter (Oct 16)
@MetaTrustAlert Twitter (Oct 16)
@EXVULSEC Twitter (Oct 16)
Caterpillar Coin hit by flashloan attack | YOGENDRA SINGH DIWAN posted on the topic | LinkedIn (Oct 16)
BlockThreat - Week 37, 2024 (Oct 16)
Crypto Hack Weekly Report: Indodax Heist, Caterpillar Coin Collapse, and Apple’s Deepfake Incident (Oct 16)
Month in Review: Top DeFi Hacks of September 2024 (Oct 16)
https://www.certik.com/resources/blog/caterpillar-coin-cut-token-incident-analysis (Oct 16)
