Azoundria: Created page with "{{Imported Case Study With About|source=https://www.quadrigainitiative.com/casestudy/moscaexitprogramdoublewithdrawalexploit1.php}} {{Unattributed Sources}} BNB Smart Chain ImageThe Mosca contract, launched on the Binance Smart Chain (BSC) on January 4th, is a decentralized subscription and referral system that supports multiple tokens, including USDT, USDC, and a native Mosca token. It offers two subscription tiers, Standard and Enter..."

2025-02-12T20:37:34Z

Created page with "{{Imported Case Study With About|source=https://www.quadrigainitiative.com/casestudy/moscaexitprogramdoublewithdrawalexploit1.php}} {{Unattributed Sources}} thumb|BNB Smart Chain ImageThe Mosca contract, launched on the Binance Smart Chain (BSC) on January 4th, is a decentralized subscription and referral system that supports multiple tokens, including USDT, USDC, and a native Mosca token. It offers two subscription tiers, Standard and Enter..."

New page

{{Imported Case Study With About|source=https://www.quadrigainitiative.com/casestudy/moscaexitprogramdoublewithdrawalexploit1.php}}
{{Unattributed Sources}}

[[File:Binancesecurity.jpg|thumb|BNB Smart Chain Image]]The Mosca contract, launched on the Binance Smart Chain (BSC) on January 4th, is a decentralized subscription and referral system that supports multiple tokens, including USDT, USDC, and a native Mosca token. It offers two subscription tiers, Standard and Enterprise, with higher rewards for enterprise users. However, a flaw in the exitProgram() function allowed attackers to exploit improper state updates, enabling double withdrawals. The bug left user.balanceUSDT and user.balanceUSDC unchanged after withdrawals, allowing attackers to manipulate balances and withdraw larger amounts. This vulnerability was exploited by UniLend Exploiter 2, resulting in reported losses of $19.5k.<ref name="0xcommitauditstwitter-18008" /><ref name="olympixaitwitter-18009" /><ref name="lmanualmtwitter-18010" /><ref name="bscscan-18011" /><ref name="bennytope00twitter-18012" /><ref name="moscalaunch-18013" /><ref name="slowmistteamtwitter-18014" /><ref name="tenarmoralerttwitter-18015" /><ref name="olympixsubstack-18016" /><ref name="maanvadermedium-18017" /><ref name="verichainsblog-18018" />

== About Mosca ==
The Mosca contract appears to be a decentralized subscription and referral-based system deployed on the Binance Smart Chain (BSC) starting January 4th. It supports multiple tokens, including USDT, USDC, and a native Mosca token. The contract enables users to join a subscription program, participate in a multi-level referral system, and earn rewards based on network activity. It offers two subscription tiers: Standard and Enterprise, with higher rewards and benefits for enterprise users.

== The Reality ==
This sections is included if a case involved deception or information that was unknown at the time. Examples include:

* When the service was actually started (if different than the "official story").
* Who actually ran a service and their own personal history.
* How the service was structured behind the scenes. (For example, there was no "trading bot".)
* Details of what audits reported and how vulnerabilities were missed during auditing.

== What Happened ==
"Mosca was reportedly attacked on BSC, resulting in an approximate loss of $19,500."
{| class="wikitable"
|+Key Event Timeline - Mosca Exit Program Double Withdrawal Exploit 1
!Date
!Event
!Description
|-
|January 4th, 2025 1:41:11 PM MST
|Mosca Smart Contract Launch
|The Mosca smart contract is first launched on BSC.
|-
|January 5th, 2025 10:22:49 PM MST
|Theft Transaction On BSC
|The first exploit transaction occurs on the Binance Smart Chain.
|-
|January 5th, 2025 10:44:00 PM MST
|TenArmorAlert Posts About Exploit
|TenArmorAlert posts about the exploit, along with details of the root cause. "Root cause appears to be in the exitProgram() call, the user.balanceUSDT & user.balanceUSDC are not reset correctly, enabling double withdrawal."
|-
|January 5th, 2025 11:40:00 PM MST
|SlowMist Reports On Incident
|SlowMist
|-
|January 7th, 2025 6:10:00 AM MST
|Tweet Post By @lmanuel
|Twitter/X user @lmanualm reports "[p]otential suspicious activity".
|-
|January 7th, 2025 9:42:00 AM MST
|0xCommit Audits Post Made
|0xCommits makes a post which appears to summarize only that there was a high level exploit.
|-
|January 12th, 2025 6:52:21 PM MST
|Verichain Publishes Blog Post
|Verichain publishes a detailed breakdown of the exploit.
|-
|January 12th, 2025 11:00:03 PM MST
|Second BSC Theft Transaction
|The vulnerability is exploited a second time in the Mocha smart contact.
|-
|January 13th, 2025 12:04:00 AM MST
|TenArmor Posts Second Attack
|TenArmor posts a second attack, including additional detail on the cause.
|-
|January 14th, 2025 7:17:53 AM MST
|Substack Vestra Article
|Olympix publishes a description of the first exploit with additional details.
|-
|January 23rd, 2025 12:15:12 AM MST
|MaanVader Article Published
|MaanVader publishes a Medium article with even more details of the exploit.
|}

== Technical Details ==
"Improper state updates in the exitProgram() function allowed attackers to manipulate balances."

"Root cause appears to be in the exitProgram() call, the user.balanceUSDT & user.balanceUSDC are not reset correctly, enabling double withdrawal."

"The join() function in the Mosca contract appears to have a logic flaw, incorrectly adding a diff to the deposited amount. A strange logic!

This flaw enabled the attacker to acquire an unusually large user.balance."

"The root cause of the exploit was improper state updates in the exitProgram function. The withdrawAll() function calculated the withdrawal amount as the sum of user.balance, user.balanceUSDT, and user.balanceUSDC. However, only user.balance was reset to zero after the withdrawal, leaving user.balanceUSDT and user.balanceUSDC unchanged. The attacker manipulated this flaw by first calling the buy() function to increase their user.balanceUSDC. Next, they used the join() function to add their address to the rewardQueue. Finally, they withdrew funds using the exitProgram() function, leveraging the incomplete state reset."

This attack appears to be done by UniLend Exploiter 2.

== Total Amount Lost ==
Losses here are widely reported as $19.5k.

The total amount lost has been estimated at $20,000 USD.

== Immediate Reactions ==
How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?

== Ultimate Outcome ==
What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?

== Total Amount Recovered ==
There do not appear to have been any funds recovered in this case.

What funds were recovered? What funds were reimbursed for those affected users?

== Ongoing Developments ==
What parts of this case are still remaining to be concluded?
== Individual Prevention Policies ==
{{Prevention:Individuals:Placeholder}}

{{Prevention:Individuals:End}}

== Platform Prevention Policies ==
{{Prevention:Platforms:Placeholder}}

{{Prevention:Platforms:End}}

== Regulatory Prevention Policies ==
{{Prevention:Regulators:Placeholder}}

{{Prevention:Regulators:End}}

== References ==
<references><ref name="0xcommitauditstwitter-18008">[https://twitter.com/0xCommitAudits/status/1876670762796581289 @0xCommitAudits Twitter] (Accessed Feb 11, 2025)</ref>

<ref name="olympixaitwitter-18009">[https://twitter.com/Olympix_ai/status/1881684514163867899 @Olympix_ai Twitter] (Accessed Feb 11, 2025)</ref>

<ref name="lmanualmtwitter-18010">[https://twitter.com/lmanualm/status/1876617312360648806 @lmanualm Twitter] (Accessed Feb 11, 2025)</ref>

<ref name="bscscan-18011">[https://bscscan.com/tx/0x4e5bb7e3f552f5ee6ee97db9a9fcf07287aae9a1974e24999690855741121aff BNB Smart Chain Transaction Hash (Txhash) Details | BscScan] (Accessed Feb 11, 2025)</ref>

<ref name="bennytope00twitter-18012">[https://twitter.com/bennytope00/status/1873720328935129506 @bennytope00 Twitter] (Accessed Feb 11, 2025)</ref>

<ref name="moscalaunch-18013">[https://bscscan.com/tx/0x8c78478a9620df5b835dfecf3f0a5c341f5a6eef3ea1f63c6f39b7a665fce1c9 Mosca Smart Contract Launch] (Accessed Feb 11, 2025)</ref>

<ref name="slowmistteamtwitter-18014">[https://twitter.com/SlowMist_Team/status/1876156823637770441 @SlowMist_Team Twitter] (Accessed Feb 11, 2025)</ref>

<ref name="tenarmoralerttwitter-18015">[https://twitter.com/TenArmorAlert/status/1876142779564277971 @TenArmorAlert Twitter] (Accessed Feb 11, 2025)</ref>

<ref name="olympixsubstack-18016">[https://olympix.substack.com/p/vestra-targeted-in-500k-hack Vestra Targeted in $500K Hack - Olympix Newsletter] (Accessed Feb 11, 2025)</ref>

<ref name="maanvadermedium-18017">[https://medium.com/@MaanVader/mosca-hack-analysis-19-5k-stolen-735e1bd26f5c Mosca Hack Analysis $19.5K Stolen | by MaanVader | Jan, 2025 | Medium] (Accessed Feb 11, 2025)</ref>

<ref name="verichainsblog-18018">[https://blog.verichains.io/p/mosca-hack-analysis Mosca Hack Analysis - by LCD - Verichains] (Accessed Feb 11, 2025)</ref></references>

Mosca Exit Program Double Withdrawal Exploit 1 - Revision history