Quadriga Initiative Logo.png

QUADRIGA INITIATIVE

CRYPTO WATCHDOG & FRAUD RECOVERY PLATFORM

A COMMUNITY-BASED, NOT-FOR-PROFIT

$20 000 USD

JANUARY 2025

GLOBAL

MOSCA

DESCRIPTION OF EVENTS

The Mosca contract appears to be a decentralized subscription and referral-based system deployed on the Binance Smart Chain (BSC) starting January 4th. It supports multiple tokens, including USDT, USDC, and a native Mosca token. The contract enables users to join a subscription program, participate in a multi-level referral system, and earn rewards based on network activity. It offers two subscription tiers: Standard and Enterprise, with higher rewards and benefits for enterprise users.

 

"Improper state updates in the exitProgram() function allowed attackers to manipulate balances."

 

"Root cause appears to be in the exitProgram() call, the user.balanceUSDT & user.balanceUSDC are not reset correctly, enabling double withdrawal."

 

"The join() function in the Mosca contract appears to have a logic flaw, incorrectly adding a diff to the deposited amount. A strange logic!

 

This flaw enabled the attacker to acquire an unusually large user.balance."

 

"The root cause of the exploit was improper state updates in the exitProgram function. The withdrawAll() function calculated the withdrawal amount as the sum of user.balance, user.balanceUSDT, and user.balanceUSDC. However, only user.balance was reset to zero after the withdrawal, leaving user.balanceUSDT and user.balanceUSDC unchanged. The attacker manipulated this flaw by first calling the buy() function to increase their user.balanceUSDC. Next, they used the join() function to add their address to the rewardQueue. Finally, they withdrew funds using the exitProgram() function, leveraging the incomplete state reset."

 

This attack appears to be done by UniLend Exploiter 2.

 

Losses here are widely reported as $19.5k.

 

Explore This Case Further On Our Wiki

The Mosca contract, launched on the Binance Smart Chain (BSC) on January 4th, is a decentralized subscription and referral system that supports multiple tokens, including USDT, USDC, and a native Mosca token. It offers two subscription tiers, Standard and Enterprise, with higher rewards for enterprise users. However, a flaw in the exitProgram() function allowed attackers to exploit improper state updates, enabling double withdrawals. The bug left user.balanceUSDT and user.balanceUSDC unchanged after withdrawals, allowing attackers to manipulate balances and withdraw larger amounts. This vulnerability was exploited by UniLend Exploiter 2, resulting in reported losses of $19.5k.

@0xCommitAudits Twitter (Feb 11)
@Olympix_ai Twitter (Feb 11)
@lmanualm Twitter (Feb 11)
BNB Smart Chain Transaction Hash (Txhash) Details | BscScan  (Feb 11)
@bennytope00 Twitter (Feb 11)
Mosca Smart Contract Launch (Feb 11)
@SlowMist_Team Twitter (Feb 11)
@TenArmorAlert Twitter (Feb 11)
Vestra Targeted in $500K Hack - Olympix Newsletter (Feb 11)
Mosca Hack Analysis $19.5K Stolen | by MaanVader | Jan, 2025 | Medium (Feb 11)
Mosca Hack Analysis - by LCD - Verichains (Feb 11)

Sources And Further Reading

More case studies

Centrifuge $YUMI AI Token
Twitter/X Compromise

IPC Token TransferTime Swap
Contract Vulnerability

 For questions or enquiries, email info@quadrigainitiative.com.

Get Social

  • email
  • reddit
  • telegram
  • Twitter

© 2019 - 2025 Quadriga Initiative. Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected Users. Hosted in Canada by HosterBox.