Azoundria: Created page with "{{Imported Case Study With About|source=https://www.quadrigainitiative.com/casestudy/moscaexitprogramdoublewithdrawalexploit2.php}} {{Unattributed Sources}} BNB Smart Chain ImageThe Mosca contract, launched on the Binance Smart Chain (BSC) on January 4th, is a decentralized subscription and referral system supporting multiple tokens, including USDT, USDC, and a native Mosca token. It offers users two subscription tiers, Standard and En..."

2025-02-12T20:38:10Z

Created page with "{{Imported Case Study With About|source=https://www.quadrigainitiative.com/casestudy/moscaexitprogramdoublewithdrawalexploit2.php}} {{Unattributed Sources}} thumb|BNB Smart Chain ImageThe Mosca contract, launched on the Binance Smart Chain (BSC) on January 4th, is a decentralized subscription and referral system supporting multiple tokens, including USDT, USDC, and a native Mosca token. It offers users two subscription tiers, Standard and En..."

New page

{{Imported Case Study With About|source=https://www.quadrigainitiative.com/casestudy/moscaexitprogramdoublewithdrawalexploit2.php}}
{{Unattributed Sources}}

[[File:Binancesecurity.jpg|thumb|BNB Smart Chain Image]]The Mosca contract, launched on the Binance Smart Chain (BSC) on January 4th, is a decentralized subscription and referral system supporting multiple tokens, including USDT, USDC, and a native Mosca token. It offers users two subscription tiers, Standard and Enterprise, with rewards based on network activity. However, the contract contained a critical vulnerability, particularly in the exitProgram() function, where improper state updates allowed attackers to manipulate balances and perform double withdrawals. This exploit was caused by user.balanceUSDT and user.balanceUSDC not being reset correctly, which enabled attackers to acquire unusually large balances and withdraw funds using a flawed logic in the join() and exitProgram() functions. The exploit, attributed to a unique attacker named the Mosca exploiter (0xE763DA20e25103Da8E6AFa84b6297F87de557419), resulted in reported losses of $37.6k.<ref name="tenarmoralerttwitter-18019" /><ref name="bscscan-18020" /><ref name="moscalaunch-18013" /><ref name="slowmistteamtwitter-18014" /><ref name="tenarmoralerttwitter-18015" /><ref name="olympixsubstack-18016" /><ref name="maanvadermedium-18017" /><ref name="verichainsblog-18018" />

== About Mosca ==
The Mosca contract appears to be a decentralized subscription and referral-based system deployed on the Binance Smart Chain (BSC) starting January 4th. It supports multiple tokens, including USDT, USDC, and a native Mosca token. The contract enables users to join a subscription program, participate in a multi-level referral system, and earn rewards based on network activity. It offers two subscription tiers: Standard and Enterprise, with higher rewards and benefits for enterprise users.

== The Reality ==
The smart contract appears to have been deployed quickly and with a critical vulnerability.

== What Happened ==
"Mosca was reportedly attacked on BSC, resulting in an approximate loss of $19,500."
{| class="wikitable"
|+Key Event Timeline - Mosca Exit Program Double Withdrawal Exploit 2
!Date
!Event
!Description
|-
|January 4th, 2025 1:41:11 PM MST
|Mosca Smart Contract Launch
|The Mosca smart contract is first launched on BSC.
|-
|January 5th, 2025 10:22:49 PM MST
|Theft Transaction On BSC
|The first exploit transaction occurs on the Binance Smart Chain.
|-
|January 5th, 2025 10:44:00 PM MST
|TenArmorAlert Posts About Exploit
|TenArmorAlert posts about the exploit, along with details of the root cause. "Root cause appears to be in the exitProgram() call, the user.balanceUSDT & user.balanceUSDC are not reset correctly, enabling double withdrawal."
|-
|January 5th, 2025 11:40:00 PM MST
|SlowMist Reports On Incident
|SlowMist
|-
|January 7th, 2025 6:10:00 AM MST
|Tweet Post By @lmanuel
|Twitter/X user @lmanualm reports "[p]otential suspicious activity".
|-
|January 7th, 2025 9:42:00 AM MST
|0xCommit Audits Post Made
|0xCommits makes a post which appears to summarize only that there was a high level exploit.
|-
|January 12th, 2025 6:52:21 PM MST
|Verichain Publishes Blog Post
|Verichain publishes a detailed breakdown of the exploit.
|-
|January 12th, 2025 11:00:03 PM MST
|Second BSC Theft Transaction
|The vulnerability is exploited a second time in the Mocha smart contact.
|-
|January 13th, 2025 12:04:00 AM MST
|TenArmor Posts Second Attack
|TenArmor posts a second attack, including additional detail on the cause.
|-
|January 14th, 2025 7:17:53 AM MST
|Substack Vestra Article
|Olympix publishes a description of the first exploit with additional details.
|-
|January 23rd, 2025 12:15:12 AM MST
|MaanVader Article Published
|MaanVader publishes a Medium article with even more details of the exploit.
|}

== Technical Details ==
"Improper state updates in the exitProgram() function allowed attackers to manipulate balances."

"Root cause appears to be in the exitProgram() call, the user.balanceUSDT & user.balanceUSDC are not reset correctly, enabling double withdrawal."

"The join() function in the Mosca contract appears to have a logic flaw, incorrectly adding a diff to the deposited amount. A strange logic!

This flaw enabled the attacker to acquire an unusually large user.balance."

"The root cause of the exploit was improper state updates in the exitProgram function. The withdrawAll() function calculated the withdrawal amount as the sum of user.balance, user.balanceUSDT, and user.balanceUSDC. However, only user.balance was reset to zero after the withdrawal, leaving user.balanceUSDT and user.balanceUSDC unchanged. The attacker manipulated this flaw by first calling the buy() function to increase their user.balanceUSDC. Next, they used the join() function to add their address to the rewardQueue. Finally, they withdrew funds using the exitProgram() function, leveraging the incomplete state reset."

Unique exploiter named Mosca exploiter (0xE763DA20e25103Da8E6AFa84b6297F87de557419)

== Total Amount Lost ==
Losses here are reported as $37.6k.

The total amount lost has been estimated at $38,000 USD.

== Immediate Reactions ==
How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?

== Ultimate Outcome ==
What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?

== Total Amount Recovered ==
There do not appear to have been any funds recovered in this case.

What funds were recovered? What funds were reimbursed for those affected users?

== Ongoing Developments ==
What parts of this case are still remaining to be concluded?
== Individual Prevention Policies ==
{{Prevention:Individuals:Placeholder}}

{{Prevention:Individuals:End}}

== Platform Prevention Policies ==
{{Prevention:Platforms:Placeholder}}

{{Prevention:Platforms:End}}

== Regulatory Prevention Policies ==
{{Prevention:Regulators:Placeholder}}

{{Prevention:Regulators:End}}

== References ==
<references><ref name="tenarmoralerttwitter-18019">[https://twitter.com/TenArmorAlert/status/1878699517450883407 @TenArmorAlert Twitter] (Accessed Feb 11, 2025)</ref>

<ref name="bscscan-18020">[https://bscscan.com/tx/0xf13d281d4aa95f1aca457bd17f2531581b0ce918c90905d65934c9e67f6ae0ec BNB Smart Chain Transaction Hash (Txhash) Details | BscScan] (Accessed Feb 11, 2025)</ref>

<ref name="moscalaunch-18013">[https://bscscan.com/tx/0x8c78478a9620df5b835dfecf3f0a5c341f5a6eef3ea1f63c6f39b7a665fce1c9 Mosca Smart Contract Launch] (Accessed Feb 11, 2025)</ref>

<ref name="slowmistteamtwitter-18014">[https://twitter.com/SlowMist_Team/status/1876156823637770441 @SlowMist_Team Twitter] (Accessed Feb 11, 2025)</ref>

<ref name="tenarmoralerttwitter-18015">[https://twitter.com/TenArmorAlert/status/1876142779564277971 @TenArmorAlert Twitter] (Accessed Feb 11, 2025)</ref>

<ref name="olympixsubstack-18016">[https://olympix.substack.com/p/vestra-targeted-in-500k-hack Vestra Targeted in $500K Hack - Olympix Newsletter] (Accessed Feb 11, 2025)</ref>

<ref name="maanvadermedium-18017">[https://medium.com/@MaanVader/mosca-hack-analysis-19-5k-stolen-735e1bd26f5c Mosca Hack Analysis $19.5K Stolen | by MaanVader | Jan, 2025 | Medium] (Accessed Feb 11, 2025)</ref>

<ref name="verichainsblog-18018">[https://blog.verichains.io/p/mosca-hack-analysis Mosca Hack Analysis - by LCD - Verichains] (Accessed Feb 11, 2025)</ref></references>

Mosca Exit Program Double Withdrawal Exploit 2 - Revision history