Quadriga Initiative Logo.png

QUADRIGA INITIATIVE

CRYPTO WATCHDOG & FRAUD RECOVERY PLATFORM

A COMMUNITY-BASED, NOT-FOR-PROFIT

$106 000 USD

MAY 2025

GLOBAL

LOTTERYTICKET50

DESCRIPTION OF EVENTS

Nalakuvara, also known as Nalakubara, is a figure in Hindu and Buddhist mythology. He is the son of Kubera, the yaksha king, and the brother of Manigriva (also known as Manibhadra). Nalakuvara is often depicted as a trickster figure, and his story is intertwined with themes of liberation and devotion to Krishna.

 

The Nalakuvara token smart contract was first launched on the Base chain on May 7th, 2025.

 

Unfortunately, a vulnerability existed in the `LotteryTicketSwap50` contract due to its use of a fixed value calculation for LotteryTickets, which did not account for real-time market conditions. This meant that the value of the tickets remained constant regardless of fluctuations in the prices of the underlying tokens.

 

In addition, the `TransferToken` function lacked slippage protection when adding liquidity. The contract accepted token deposits without verifying whether the input values matched fair market rates, allowing liquidity to be added at arbitrary or manipulated prices.

 

Together, these design flaws created a pricing mismatch between the contract’s internal valuations and actual market dynamics. This inconsistency introduced a systemic risk, making the protocol susceptible to imbalanced operations when token prices deviated from the assumed fixed values.

 

The vulnerability originates from the flawed design of the `LotteryTicketSwap50` contract, specifically in the fixed value calculation of the LotteryTicket and the absence of slippage protection within the `TransferToken` function. This lack of safeguards allowed the attacker to manipulate token prices and exploit the discrepancy between the real market value and the hardcoded ticket valuation. Without mechanisms to account for price changes or to limit adverse liquidity impacts, the contract was left open to exploitation.

 

To execute the attack, the exploiter first manipulated the price of the Nalakuvara token using a flashloan, temporarily inflating or deflating its market value. This manipulation enabled them to create an artificial price discrepancy when adding liquidity through the vulnerable `TransferToken` function. Despite the manipulated token price, the USDC valuation of the LotteryTicket remained fixed, creating a profitable imbalance for the attacker to exploit.

 

Capitalizing on this arbitrage opportunity, the attacker used the inflated Nalakuvara tokens to swap for a larger amount of USDC. They then repeatedly redeemed their LotteryTickets for USDC by invoking the `DestructionOfLotteryTickets` function, profiting from the misalignment in valuation. This process was repeated, allowing the attacker to drain significant funds from the protocol before the exploit was discovered.

 

TenArmor described "an approximately loss of $105.5K".

 

The incident was flagged by TenArmor. However, it is unclear what entity is behind the smart contract.

 

There does not appear to be any investigation or public announcement related to the exploit.

 

There is no indication that any funds have been recovered in this case.

 

There doesn't appear to be any ongoing investigation or any public announcements.

 

Explore This Case Further On Our Wiki

A critical vulnerability in the `LotteryTicketSwap50` contract was exploited due to flawed logic in how it calculated ticket value and handled liquidity. Specifically, the contract used fixed ticket valuations and lacked slippage protection, allowing an attacker to manipulate token prices via flashloan and create profitable arbitrage. By repeatedly redeeming overvalued tickets for USDC, the attacker drained approximately $105.5K from the protocol. The exploit was flagged by TenArmor, but the identity behind the smart contract remains unknown, and no investigation or fund recovery has been publicly reported.

TenArmor - "Our system has detected a suspicious attack involving #Nalakuvara token and #LotteryTicket50 contract on #BASE, resulting in an approximately loss of $105.5K." - Twitter/X (Aug 1)
LotteryTicket50 Nalakuvara Token Exploit - BSCScan (Aug 1)
Week 19, 2025 - Blockthreat (Aug 1)
Nalakuvara Token Smart Contract - BaseScan (Aug 1)
Nalakuvara Token Smart Contract Creation - BaseScan (Aug 1)
Nalakuvara - Wikipedia (Aug 1)

Sources And Further Reading

More case studies

LND Finance DPRK Worker
Upgrades Contract Drains Funds

CoinTelegraph Twitter/X
Phish TELE Fake Token Launch

 For questions or enquiries, email info@quadrigainitiative.com.

Get Social

  • email
  • reddit
  • telegram
  • Twitter

© 2019 - 2025 Quadriga Initiative. Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected Users. Hosted in Canada by HosterBox.