Azoundria: Created page with "{{Imported Case Study With About|source=https://www.quadrigainitiative.com/casestudy/caterpillartokenflashloansmartcontractdrain.php}} {{Unattributed Sources}} Caterpillar TokenCaterpillar Token (CUT) runs through a smart contract on the Binance Smart Chain, which was first launched in July 2024. The project does not appear to have a website or other online presence. There is an account referenced for CUT2024CUT, however there is no ev..."

2024-10-17T00:53:31Z

Created page with "{{Imported Case Study With About|source=https://www.quadrigainitiative.com/casestudy/caterpillartokenflashloansmartcontractdrain.php}} {{Unattributed Sources}} thumb|Caterpillar TokenCaterpillar Token (CUT) runs through a smart contract on the Binance Smart Chain, which was first launched in July 2024. The project does not appear to have a website or other online presence. There is an account referenced for CUT2024CUT, however there is no ev..."

New page

{{Imported Case Study With About|source=https://www.quadrigainitiative.com/casestudy/caterpillartokenflashloansmartcontractdrain.php}}
{{Unattributed Sources}}

[[File:Binancesecurity.jpg|thumb|Caterpillar Token]]Caterpillar Token (CUT) runs through a smart contract on the Binance Smart Chain, which was first launched in July 2024. The project does not appear to have a website or other online presence. There is an account referenced for CUT2024CUT, however there is no evidence that this Twitter account ever existed. On September 10th, the smart contract was exploited via a Flash loan, allowing the exploiter to profit by a total of $1.4m USD. There is no evidence of any team response, investigation, or attempt to recover funds.<ref name="bscscan-16142" /><ref name="thestreet-16143" /><ref name="coinstatsapp-16144" /><ref name="cryptopolitan-16145" /><ref name="icoholder-16146" /><ref name="coinmarketcap-16147" /><ref name="coinpedia-16148" /><ref name="coinmarketcap-16149" /><ref name="bscscan-16150" /><ref name="dexscreener-16151" /><ref name="geckoterminal-16152" /><ref name="coinmarketcap-16153" /><ref name="verichainsblog-16154" /><ref name="certikcntwitter-16155" /><ref name="tenarmoralerttwitter-16156" /><ref name="0xcommitauditstwitter-16157" /><ref name="metatrustalerttwitter-16158" /><ref name="exvulsectwitter-16159" /><ref name="linkedin-16160" /><ref name="newsletter-16161" /><ref name="coinlive-16162" /><ref name="halborn-16163" /><ref name="certik-16164" />

== About Caterpillar Token ==
Caterpillar Token (CUT) runs through a smart contract on the Binance Smart Chain, which was first launched in July 2024.

== The Reality ==
This sections is included if a case involved deception or information that was unknown at the time. Examples include:

* When the service was actually started (if different than the "official story").
* Who actually ran a service and their own personal history.
* How the service was structured behind the scenes. (For example, there was no "trading bot".)
* Details of what audits reported and how vulnerabilities were missed during auditing.

== What Happened ==
"On September 10th, 2024, Caterpillar Coin ($CUT) was hit by a flashloan attack, resulting in a loss of $1.4 million USD."
{| class="wikitable"
|+Key Event Timeline - Caterpillar Token Flash Loan Smart Contract Drain
!Date
!Event
!Description
|-
|July 26th, 2024 4:14:56 AM MDT
|Caterpillar Coin Launched
|The smart contract for Caterpillar Coin is first created on the Binance Smart Chain.
|-
|September 10th, 2024 6:40:52 AM MDT
|Blockchain Exploit Transaction
|The timestamp of the transaction on the Binance Smart Chain which is credited as the exploit.
|-
|September 10th, 2024 4:00:00 PM MDT
|CertiK Exploit Analysis
|CertiK publishes an analysis of the exploit...
|-
|September 13th, 2024 12:51:03 PM MDT
|Coinpedia Weekly Report
|Coinpedia publishes a weekly report which includes the Caterpillar Coin hack.
|-
|September 13th, 2024 12:51:04 PM MDT
|Coinlive Article Title Mention
|The Caterpillar Coin incident is mentioned in the title for a Coinlive article, however there is no mention in the body of the article.
|-
|September 14th, 2024 2:36:04 AM MDT
|Verichains Blog Analysis
|Web3 security firm Verichains publishes an analysis of the incident/exploit on their blog.
|-
|September 16th, 2024 1:39:05 AM MDT
|Shashank Medium Analysis Post
|Shashank from SolidityScan posted an article on Medium which walked through the Caterpillar Coin exploit in some level of detail.
|-
|September 17th, 2024 12:36:00 AM MDT
|PandaLy Weekly Report Inclusion
|PandaLy includes the incident in their weekly report recap.
|-
|September 17th, 2024 4:27:07 AM MDT
|Yogendra Singh Diwan Posts
|A researcher named Yogendra Singh Diwan posts an article including an analysis of the incident on LinkedIn. While this article includes a logo for a CUT token, this logo is for an unrelated Carbon Utility Token project.
|-
|September 17th, 2024 11:12:02 AM MDT
|Blockthreat Week 37
|The incident is included as premium content inside the Blockthreat Week 37 news article.
|-
|October 3rd, 2024 3:00:33 AM MDT
|Halborn Article Inclusion
|The Caterpillar coin incident is included in one paragraph of a "Month In Review" summary of hacks which happened in the month of September, published by Halborn.
|-
|October 6th, 2024 5:26:00 PM MDT
|CryptoPolitan Article Mention
|The incident is mentioned briefly in an article written by Cryptopolitan about how much hacks have increased in September. This is reposted by CoinStats.
|-
|October 7th, 2024 11:26:53 AM MDT
|Brief Mention By The Street
|The Street shares a brief mention of the Caterpillar Coin flash loan hack in their "Technical Weaknesses in Smart Contracts Merit Targeted Security Solutions" article.
|}

== Technical Details ==
"Caterpillar Coin suffered a flashloan attack resulting in a loss of ~$1.4M and causing a 99% slippage on the token. The attack exploited vulnerabilities in the "price protection mechanisms", which led to the manipulation of token reserves and rewards."

"The attack appears to have followed a straightforward pattern: the attacker used a flash loan to borrow USDT from the USDT-WBNB pair, then ran a loop to create several contracts with the main attack logic running in the constructor. Before creating each contract, the exploiter transferred a large amount of USDT for the logic in the constructor to utilize."

"1. The attacker took out a 4.5 million USDT flashloan, swapped some for $CUT tokens, and added liquidity to the USDT-CUT pool.
2. Due to a flaw in the reward calculation process, the attacker was able to manipulate the token's reserves, significantly increasing their rewards.
3. By repeating this process, the attacker drained the liquidity pool, repaid the loan, and walked away with around $1.4M USD in profits."

== Total Amount Lost ==
The calculation is vulnerable to price manipulation and the exploiter abused this in order to gain extra $CUT tokens, sold them and gained ~$1.4m from the BUSD-CUT pancake pair.

The total amount lost has been estimated at $1,400,000 USD.

== Immediate Reactions ==
How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?

== Ultimate Outcome ==
The calculation is vulnerable to price manipulation and the exploiter abused this in order to gain extra $CUT tokens, sold them and gained ~$1.4m from the BUSD-CUT pancake pair.

== Total Amount Recovered ==
There do not appear to have been any funds recovered in this case.

What funds were recovered? What funds were reimbursed for those affected users?

== Ongoing Developments ==
What parts of this case are still remaining to be concluded?
== Individual Prevention Policies ==
{{Prevention:Individuals:Placeholder}}

{{Prevention:Individuals:End}}

== Platform Prevention Policies ==
{{Prevention:Platforms:Placeholder}}

{{Prevention:Platforms:End}}

== Regulatory Prevention Policies ==
{{Prevention:Regulators:Placeholder}}

{{Prevention:Regulators:End}}

== References ==
<references><ref name="bscscan-16142">[https://bscscan.com/tx/0x2c123d08ca3d50c4b875c0b5de1b5c85d0bf9979dffbf87c48526e3a67396827 BNB Smart Chain Transaction Hash (Txhash) Details | BscScan] (Accessed Oct 16, 2024)</ref>

<ref name="thestreet-16143">[https://www.thestreet.com/crypto/innovation/technical-weaknesses-in-smart-contracts-merit-targeted-security-solutions- https://www.thestreet.com/crypto/innovation/technical-weaknesses-in-smart-contracts-merit-targeted-security-solutions-] (Accessed Oct 16, 2024)</ref>

<ref name="coinstatsapp-16144">[https://coinstats.app/news/0219d649ce2ab9ff93ef70bdd77fb261c31b6bc0ed9270b5e4647eb12486d61c_Crypto-hacks-explode-8x-in-just-one-month%E2%80%94%24116M-stolen-in-September-alone/ CoinStats - Crypto hacks explode 8x in just one month—$11...] (Accessed Oct 16, 2024)</ref>

<ref name="cryptopolitan-16145">[https://www.cryptopolitan.com/crypto-hacks-rise-116m-stolen-in-september/ https://www.cryptopolitan.com/crypto-hacks-rise-116m-stolen-in-september/] (Accessed Oct 16, 2024)</ref>

<ref name="icoholder-16146">[https://icoholder.com/en/news/crypto-hacks-surge-in-september-2024-over-120-million-lost Crypto Hacks Surge in September 2024: Over $120 Million Lost] (Accessed Oct 16, 2024)</ref>

<ref name="coinmarketcap-16147">[https://coinmarketcap.com/community/articles/66e48a789c6f076f3ed41ad8/ Coinpedia Fintech News: Guest Post by CoinPedia News | CoinMarketCap] (Accessed Oct 16, 2024)</ref>

<ref name="coinpedia-16148">[https://coinpedia.org/news/crypto-hack-weekly-report-indodax-heist-caterpillar-coin-collapse-and-apples-deepfake-incident/ Crypto Hack Weekly Report: Indodax Heist, Caterpillar Coin Collapse, and Apple's Deepfake Incident] (Accessed Oct 16, 2024)</ref>

<ref name="coinmarketcap-16149">[https://coinmarketcap.com/community/articles/6701d09354de5a1601907b55/ Over 20 Crypto Hacks in September 2024: Here’s How Much Was Stolen: Guest Post by CryptoPotato_News | CoinMarketCap] (Accessed Oct 16, 2024)</ref>

<ref name="bscscan-16150">[https://bscscan.com/address/0x7057f3b0f4d0649b428f0d8378a8a0e7d21d36a7 BEP20USDT | Address 0x7057f3b0f4d0649b428f0d8378a8a0e7d21d36a7 | BscScan] (Accessed Oct 16, 2024)</ref>

<ref name="dexscreener-16151">[https://dexscreener.com/bsc/0x83681f67069a154815a0c6c2c97e2daca6ed3249 https://dexscreener.com/bsc/0x83681f67069a154815a0c6c2c97e2daca6ed3249] (Accessed Oct 16, 2024)</ref>

<ref name="geckoterminal-16152">[https://www.geckoterminal.com/bsc/pools/0x83681f67069a154815a0c6c2c97e2daca6ed3249 CUT/USDT - CUT Price on Pancakeswap V2 (BSC) | GeckoTerminal] (Accessed Oct 16, 2024)</ref>

<ref name="coinmarketcap-16153">[https://coinmarketcap.com/dexscan/bsc/0x83681f67069a154815a0c6c2c97e2daca6ed3249/ CUT/USDT Real-time On-chain PancakeSwap v2 (BSC) DEX Data] (Accessed Oct 16, 2024)</ref>

<ref name="verichainsblog-16154">[https://blog.verichains.io/p/cut-incident-price-manipulation Cut Incident - Price Manipulation - by lifebow - Verichains] (Accessed Oct 16, 2024)</ref>

<ref name="certikcntwitter-16155">[https://twitter.com/CertiK_CN/status/1833926212890361981 @CertiK_CN Twitter] (Accessed Oct 16, 2024)</ref>

<ref name="tenarmoralerttwitter-16156">[https://twitter.com/TenArmorAlert/status/1834253188087558368 @TenArmorAlert Twitter] (Accessed Oct 16, 2024)</ref>

<ref name="0xcommitauditstwitter-16157">[https://twitter.com/0xCommitAudits/status/1835501273514234199 @0xCommitAudits Twitter] (Accessed Oct 16, 2024)</ref>

<ref name="metatrustalerttwitter-16158">[https://twitter.com/MetaTrustAlert/status/1833519534143377924 @MetaTrustAlert Twitter] (Accessed Oct 16, 2024)</ref>

<ref name="exvulsectwitter-16159">[https://twitter.com/EXVULSEC/status/1833514743451292146 @EXVULSEC Twitter] (Accessed Oct 16, 2024)</ref>

<ref name="linkedin-16160">[https://www.linkedin.com/posts/yogendra-singh-diwan-302a67178_cryptosecurity-blockchain-smartcontract-activity-7241754539291226112-m1m9 Caterpillar Coin hit by flashloan attack | YOGENDRA SINGH DIWAN posted on the topic | LinkedIn] (Accessed Oct 16, 2024)</ref>

<ref name="newsletter-16161">[https://newsletter.blockthreat.io/p/blockthreat-week-37-2024 BlockThreat - Week 37, 2024] (Accessed Oct 16, 2024)</ref>

<ref name="coinlive-16162">[https://www.coinlive.com/news-flash/620962 Crypto Hack Weekly Report: Indodax Heist, Caterpillar Coin Collapse, and Apple’s Deepfake Incident] (Accessed Oct 16, 2024)</ref>

<ref name="halborn-16163">[https://www.halborn.com/blog/post/month-in-review-top-defi-hacks-of-september-2024 Month in Review: Top DeFi Hacks of September 2024] (Accessed Oct 16, 2024)</ref>

<ref name="certik-16164">[https://www.certik.com/resources/blog/caterpillar-coin-cut-token-incident-analysis https://www.certik.com/resources/blog/caterpillar-coin-cut-token-incident-analysis] (Accessed Oct 16, 2024)</ref></references>

Caterpillar Token Flash Loan Smart Contract Drain - Revision history