Sorra Contract Flawed Reward Logic Exploited - Revision history

Azoundria: Created page with "{{Imported Case Study With About|source=https://www.quadrigainitiative.com/casestudy/sorracontractflawedrewardlogicexploited.php}} {{Unattributed Sources}} Sorra.io Logo/Homepage
2025-02-07T23:32:43Z

Created page with "{{Imported Case Study With About|source=https://www.quadrigainitiative.com/casestudy/sorracontractflawedrewardlogicexploited.php}} {{Unattributed Sources}} thumb|Sorra.io Logo/Homepage<ref name="etherscan-17910" /><ref name="coingecko-17911" /><ref name="sorraarchive-17912" /><ref name="sorraarchive-17913" /><ref name="sorraarchive-17914" /><ref name="sorra-17915" /><ref name="coincheckup-17916" /><ref name="coingecko-17917" /><ref name="coinmonksme..."

New page
{{Imported Case Study With About|source=https://www.quadrigainitiative.com/casestudy/sorracontractflawedrewardlogicexploited.php}}
{{Unattributed Sources}}

[[File:Sorraio.jpg|thumb|Sorra.io Logo/Homepage]]<ref name="etherscan-17910" /><ref name="coingecko-17911" /><ref name="sorraarchive-17912" /><ref name="sorraarchive-17913" /><ref name="sorraarchive-17914" /><ref name="sorra-17915" /><ref name="coincheckup-17916" /><ref name="coingecko-17917" /><ref name="coinmonksmedium-17918" /><ref name="panewslab-17919" /><ref name="quillaudits-17920" /><ref name="theblock-17921" /><ref name="lunaraymedium-17922" /><ref name="sorraiotwitter-17923" /><ref name="tenarmoralerttwitter-17924" /><ref name="tikkalaresearchtwitter-17925" /><ref name="orbler1twitter-17926" /><ref name="coincreateteamtwitter-17927" /><ref name="kukayalabstwitter-17928" /><ref name="kukayalabstwitter-17929" /><ref name="ellioticianisttwitter-17930" /><ref name="kukayalabstwitter-17931" /><ref name="tomtalkofficialtwitter-17932" /><ref name="tryringaitwitter-17933" /><ref name="maaziemekatwitter-17934" /><ref name="marko369twitter-17935" /><ref name="ellioticianisttwitter-17936" /><ref name="alesandrod1sttwitter-17937" />

== About Sorra ==
Sorra is a decentralized platform transforming the future of hospitality and real estate investment. It offers a seamless ecosystem for both travelers and hosts, allowing property owners to earn rewards by listing properties, while guests benefit from affordable stays and earn $SOR tokens. Sorra features smart contracts to automate rental agreements, bookings, and payouts, and hosts can stake $SOR for passive income. The platform also introduces Sorra Estates, enabling fractional real estate ownership through tokenization. With plans for further expansion, Sorra aims to revolutionize short-term rentals and property investment.

== The Reality ==
The getPendingRewards() function in the Sorra smart contract failed to track and deduct previously distributed rewards, enabling repeated withdrawals of the same rewards.

== What Happened ==
"Sorra was suspected to have been attacked on ETH, resulting in an approximate loss of $43K."
{| class="wikitable"
|+Key Event Timeline - Sorra Contract Flawed Reward Logic Exploited
!Date
!Event
!Description
|-
|January 4th, 2025 4:59:23 AM MST
|Sorra Contract Exploited
|The Sorra smart contract is exploited.
|}

== Technical Details ==
The getPendingRewards() function in the Sorra smart contract failed to track and deduct previously distributed rewards, enabling repeated withdrawals of the same rewards.

This issue prevented the contract from properly tracking and deducting previously distributed rewards, allowing the attacker to repeatedly withdraw the same rewards. The attacker, who had deposited 122,868 SOR tokens on December 21, 2024, took advantage of this flaw, draining a total of 3,071,721 SOR tokens and making an approximate profit of $41,000.

The exploit unfolded when the attacker, after the 14-day lockup period, initiated the withdraw() function on January 4, 2025. This function was designed to handle the withdrawal of staked tokens along with any pending rewards. However, due to the flaw, the system did not update the rewards balance correctly, enabling the attacker to call the withdraw() function multiple times with minimal token amounts. As a result, the attacker managed to drain the tokens and convert them into profits.

The root cause of this exploit was the failure of the getPendingRewards() function to account for the userRewardsDistributed[_msgSender()] value. This oversight allowed rewards to be double-counted and withdrawn multiple times.

== Total Amount Lost ==
Loss estimates have ranged between $41k and 43k.

The total amount lost has been estimated at $43,000 USD.

== Immediate Reactions ==
How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?

== Ultimate Outcome ==
Sorra appears to have deleted their website and social media following the exploit.

== Total Amount Recovered ==
There do not appear to have been any funds recovered in this case.

What funds were recovered? What funds were reimbursed for those affected users?

== Ongoing Developments ==
What parts of this case are still remaining to be concluded?
== Individual Prevention Policies ==
{{Prevention:Individuals:Placeholder}}

{{Prevention:Individuals:End}}

== Platform Prevention Policies ==
{{Prevention:Platforms:Placeholder}}

{{Prevention:Platforms:End}}

== Regulatory Prevention Policies ==
{{Prevention:Regulators:Placeholder}}

{{Prevention:Regulators:End}}

== References ==
<references><ref name="etherscan-17910">[https://etherscan.io/tx/0x6439d63cc57fb68a32ea8ffd8f02496e8abad67292be94904c0b47a4d14ce90d Ethereum Transaction Hash (Txhash) Details | Etherscan] (Accessed Feb 7, 2025)</ref>

<ref name="coingecko-17911">[https://www.coingecko.com/en/coins/sorra https://www.coingecko.com/en/coins/sorra] (Accessed Feb 7, 2025)</ref>

<ref name="sorraarchive-17912">[https://web.archive.org/web/20240723104041/https://www.sorra.io/ Sorra] (Accessed Feb 7, 2025)</ref>

<ref name="sorraarchive-17913">[https://web.archive.org/web/20240909144332/https://www.sorra.io/ Sorra] (Accessed Feb 7, 2025)</ref>

<ref name="sorraarchive-17914">[https://web.archive.org/web/20241115140755/https://www.sorra.io/ Sorra] (Accessed Feb 7, 2025)</ref>

<ref name="sorra-17915">[https://www.sorra.io/lander https://www.sorra.io/lander] (Accessed Feb 7, 2025)</ref>

<ref name="coincheckup-17916">[https://coincheckup.com/coins/sorra/about Cryptocurrency Prices, Charts & Crypto Market Cap - CoinCheckup] (Accessed Feb 7, 2025)</ref>

<ref name="coingecko-17917">[https://www.coingecko.com/en/coins/sorra/usd https://www.coingecko.com/en/coins/sorra/usd] (Accessed Feb 7, 2025)</ref>

<ref name="coinmonksmedium-17918">[https://medium.com/coinmonks/sorra-finance-staking-exploit-41-000-drained-in-flawed-reward-logic-3771a6efb019 Sorra Finance Staking Exploit 41 000 Drained In Flawed Reward Logic] (Accessed Feb 7, 2025)</ref>

<ref name="panewslab-17919">[https://www.panewslab.com/en/articledetails/li2cs123jh5h.html Cryptocurrency Monthly Report: In January, the security loss of funds was about 98 million US dollars, a significant decrease both year-on-year and month-on-month - PANews] (Accessed Feb 7, 2025)</ref>

<ref name="quillaudits-17920">[https://www.quillaudits.com/web3-hacks-database Web3 Hacks Database: Major Hacks & Scams Analyzed] (Accessed Feb 7, 2025)</ref>

<ref name="theblock-17921">[https://www.theblock.co/post/337976/january-2025-crypto-hacks https://www.theblock.co/post/337976/january-2025-crypto-hacks] (Accessed Feb 7, 2025)</ref>

<ref name="lunaraymedium-17922">[https://lunaray.medium.com/sorrastaking-hack-analysis-60e8cd9ca026 Sorrastaking Hack Analysis] (Accessed Feb 7, 2025)</ref>

<ref name="sorraiotwitter-17923">[https://twitter.com/sorra_io @sorra_io Twitter] (Accessed Feb 7, 2025)</ref>

<ref name="tenarmoralerttwitter-17924">[https://twitter.com/TenArmorAlert/status/1875582709512188394 @TenArmorAlert Twitter] (Accessed Feb 7, 2025)</ref>

<ref name="tikkalaresearchtwitter-17925">[https://twitter.com/TikkalaResearch/status/1876344921235529815 @TikkalaResearch Twitter] (Accessed Feb 7, 2025)</ref>

<ref name="orbler1twitter-17926">[https://twitter.com/Orbler1/status/1871473786366939364 @Orbler1 Twitter] (Accessed Feb 7, 2025)</ref>

<ref name="coincreateteamtwitter-17927">[https://twitter.com/CoincreateTeam/status/1875573059681447992 @CoincreateTeam Twitter] (Accessed Feb 7, 2025)</ref>

<ref name="kukayalabstwitter-17928">[https://twitter.com/KukayaLabs/status/1871494982298673203 @KukayaLabs Twitter] (Accessed Feb 7, 2025)</ref>

<ref name="kukayalabstwitter-17929">[https://twitter.com/KukayaLabs/status/1875303690300784732 @KukayaLabs Twitter] (Accessed Feb 7, 2025)</ref>

<ref name="ellioticianisttwitter-17930">[https://twitter.com/Ellioticianist/status/1874569790171562196 @Ellioticianist Twitter] (Accessed Feb 7, 2025)</ref>

<ref name="kukayalabstwitter-17931">[https://twitter.com/KukayaLabs/status/1871286649914536271 @KukayaLabs Twitter] (Accessed Feb 7, 2025)</ref>

<ref name="tomtalkofficialtwitter-17932">[https://twitter.com/Tomtalkofficial/status/1873738169528816011 @Tomtalkofficial Twitter] (Accessed Feb 7, 2025)</ref>

<ref name="tryringaitwitter-17933">[https://twitter.com/TryRingAI/status/1875589221752164797 @TryRingAI Twitter] (Accessed Feb 7, 2025)</ref>

<ref name="maaziemekatwitter-17934">[https://twitter.com/Maaziemeka/status/1874917520551063822 @Maaziemeka Twitter] (Accessed Feb 7, 2025)</ref>

<ref name="marko369twitter-17935">[https://twitter.com/Mar_Ko369/status/1872645749215043944 @Mar_Ko369 Twitter] (Accessed Feb 7, 2025)</ref>

<ref name="ellioticianisttwitter-17936">[https://twitter.com/Ellioticianist/status/1873108175584673857 @Ellioticianist Twitter] (Accessed Feb 7, 2025)</ref>

<ref name="alesandrod1sttwitter-17937">[https://twitter.com/_AlesandroD1st/status/1873781690381877553 @_AlesandroD1st Twitter] (Accessed Feb 7, 2025)</ref></references>