QUADRIGA INITIATIVE
CRYPTO WATCHDOG & FRAUD RECOVERY PLATFORM
A COMMUNITY-BASED, NOT-FOR-PROFIT
$43 000 USD
JANUARY 2025
GLOBAL
SORRA
DESCRIPTION OF EVENTS
Sorra is a decentralized platform transforming the future of hospitality and real estate investment. It offers a seamless ecosystem for both travelers and hosts, allowing property owners to earn rewards by listing properties, while guests benefit from affordable stays and earn $SOR tokens. Sorra features smart contracts to automate rental agreements, bookings, and payouts, and hosts can stake $SOR for passive income. The platform also introduces Sorra Estates, enabling fractional real estate ownership through tokenization. With plans for further expansion, Sorra aims to revolutionize short-term rentals and property investment.
The getPendingRewards() function in the Sorra smart contract failed to track and deduct previously distributed rewards, enabling repeated withdrawals of the same rewards.
The getPendingRewards() function in the Sorra smart contract failed to track and deduct previously distributed rewards, enabling repeated withdrawals of the same rewards.
This issue prevented the contract from properly tracking and deducting previously distributed rewards, allowing the attacker to repeatedly withdraw the same rewards. The attacker, who had deposited 122,868 SOR tokens on December 21, 2024, took advantage of this flaw, draining a total of 3,071,721 SOR tokens and making an approximate profit of $41,000.
The exploit unfolded when the attacker, after the 14-day lockup period, initiated the withdraw() function on January 4, 2025. This function was designed to handle the withdrawal of staked tokens along with any pending rewards. However, due to the flaw, the system did not update the rewards balance correctly, enabling the attacker to call the withdraw() function multiple times with minimal token amounts. As a result, the attacker managed to drain the tokens and convert them into profits.
The root cause of this exploit was the failure of the getPendingRewards() function to account for the userRewardsDistributed[_msgSender()] value. This oversight allowed rewards to be double-counted and withdrawn multiple times.
Loss estimates have ranged between $41k and 43k.
Sorra appears to have deleted their website and social media following the exploit.
Ethereum Transaction Hash (Txhash) Details | Etherscan
(Feb 7)
https://www.coingecko.com/en/coins/sorra (Feb 7)
Sorra (Feb 7)
Sorra (Feb 7)
Sorra (Feb 7)
https://www.sorra.io/lander (Feb 7)
Cryptocurrency Prices, Charts & Crypto Market Cap - CoinCheckup (Feb 7)
https://www.coingecko.com/en/coins/sorra/usd (Feb 7)
Sorra Finance Staking Exploit 41 000 Drained In Flawed Reward Logic (Feb 7)
Cryptocurrency Monthly Report: In January, the security loss of funds was about 98 million US dollars, a significant decrease both year-on-year and month-on-month - PANews (Feb 7)
Web3 Hacks Database: Major Hacks & Scams Analyzed (Feb 7)
https://www.theblock.co/post/337976/january-2025-crypto-hacks (Feb 7)
Sorrastaking Hack Analysis (Feb 7)
@sorra_io Twitter (Feb 7)
@TenArmorAlert Twitter (Feb 7)
@TikkalaResearch Twitter (Feb 7)
@Orbler1 Twitter (Feb 7)
@CoincreateTeam Twitter (Feb 7)
@KukayaLabs Twitter (Feb 7)
@KukayaLabs Twitter (Feb 7)
@Ellioticianist Twitter (Feb 7)
@KukayaLabs Twitter (Feb 7)
@Tomtalkofficial Twitter (Feb 7)
@TryRingAI Twitter (Feb 7)
@Maaziemeka Twitter (Feb 7)
@Mar_Ko369 Twitter (Feb 7)
@Ellioticianist Twitter (Feb 7)
@_AlesandroD1st Twitter (Feb 7)
