MOSCA

DESCRIPTION OF EVENTS

The Mosca contract appears to be a decentralized subscription and referral-based system deployed on the Binance Smart Chain (BSC) starting January 4th. It supports multiple tokens, including USDT, USDC, and a native Mosca token. The contract enables users to join a subscription program, participate in a multi-level referral system, and earn rewards based on network activity. It offers two subscription tiers: Standard and Enterprise, with higher rewards and benefits for enterprise users.

The smart contract appears to have been deployed quickly and with a critical vulnerability.

"Improper state updates in the exitProgram() function allowed attackers to manipulate balances."

"Root cause appears to be in the exitProgram() call, the user.balanceUSDT & user.balanceUSDC are not reset correctly, enabling double withdrawal."

"The join() function in the Mosca contract appears to have a logic flaw, incorrectly adding a diff to the deposited amount. A strange logic!

This flaw enabled the attacker to acquire an unusually large user.balance."

"The root cause of the exploit was improper state updates in the exitProgram function. The withdrawAll() function calculated the withdrawal amount as the sum of user.balance, user.balanceUSDT, and user.balanceUSDC. However, only user.balance was reset to zero after the withdrawal, leaving user.balanceUSDT and user.balanceUSDC unchanged. The attacker manipulated this flaw by first calling the buy() function to increase their user.balanceUSDC. Next, they used the join() function to add their address to the rewardQueue. Finally, they withdrew funds using the exitProgram() function, leveraging the incomplete state reset."

Unique exploiter named Mosca exploiter (0xE763DA20e25103Da8E6AFa84b6297F87de557419)

Losses here are reported as $37.6k.

Explore This Case Further On Our Wiki

The Mosca contract, launched on the Binance Smart Chain (BSC) on January 4th, is a decentralized subscription and referral system supporting multiple tokens, including USDT, USDC, and a native Mosca token. It offers users two subscription tiers, Standard and Enterprise, with rewards based on network activity. However, the contract contained a critical vulnerability, particularly in the exitProgram() function, where improper state updates allowed attackers to manipulate balances and perform double withdrawals. This exploit was caused by user.balanceUSDT and user.balanceUSDC not being reset correctly, which enabled attackers to acquire unusually large balances and withdraw funds using a flawed logic in the join() and exitProgram() functions. The exploit, attributed to a unique attacker named the Mosca exploiter (0xE763DA20e25103Da8E6AFa84b6297F87de557419), resulted in reported losses of $37.6k.

@TenArmorAlert Twitter (Feb 11)
BNB Smart Chain Transaction Hash (Txhash) Details | BscScan  (Feb 11)
Mosca Smart Contract Launch (Feb 11)
@SlowMist_Team Twitter (Feb 11)
@TenArmorAlert Twitter (Feb 11)
Vestra Targeted in $500K Hack - Olympix Newsletter (Feb 11)
Mosca Hack Analysis $19.5K Stolen | by MaanVader | Jan, 2025 | Medium (Feb 11)
Mosca Hack Analysis - by LCD - Verichains (Feb 11)

More case studies

Moonray MNRY Airdrop
Phishing Discord Compromised

The Idols NFT Self Reflection
Rewards Vulnerability