Azoundria: Created page with "{{Imported Case Study 2 With About|source=https://www.quadrigainitiative.com/casestudy/standingonbiznessbiznesssplitlockreentrancyattack.php}} {{Unattributed Sources}} Standing on Bizness Homepage"Standing on Bizness" launched the $bizness token on the Base blockchain on November 20th, 2024, with a focus on building a community through its Telegram and Twitter channels. The token, introduced as the first tokenized belief coin from to..."

2025-01-31T18:29:54Z

Created page with "{{Imported Case Study 2 With About|source=https://www.quadrigainitiative.com/casestudy/standingonbiznessbiznesssplitlockreentrancyattack.php}} {{Unattributed Sources}} thumb|Standing on Bizness Homepage"Standing on Bizness" launched the $bizness token on the Base blockchain on November 20th, 2024, with a focus on building a community through its Telegram and Twitter channels. The token, introduced as the first tokenized belief coin from to..."

New page

{{Imported Case Study 2 With About|source=https://www.quadrigainitiative.com/casestudy/standingonbiznessbiznesssplitlockreentrancyattack.php}}
{{Unattributed Sources}}

[[File:Standingonbizness.jpg|thumb|Standing on Bizness Homepage]]"Standing on Bizness" launched the $bizness token on the Base blockchain on November 20th, 2024, with a focus on building a community through its Telegram and Twitter channels. The token, introduced as the first tokenized belief coin from toshimart.xyz, gained attention through updates about its availability on Uniswap, along with the contract address and community-building messages. However, the project's smart contract contained a vulnerability in the "splitLock" function, which lacked a reentrancy check, allowing an attacker to exploit the system and withdraw more tokens than intended. This flaw led to a $16,000 loss, but the incident was not mentioned on their Twitter account, and promotions continued post-hack. Despite coverage of the hack by Nick L. Franklin and inclusion in the SlowMist list, the team has not publicly acknowledged the exploit.<ref name="exploittransaction-17760" /><ref name="0xnicklfranklintwitter-17761" /><ref name="nickfranklin-17762" /><ref name="mizar-17763" /><ref name="biznesscontract-17764" /><ref name="biznesscreation-17765" /><ref name="biznesshomepage-17766" /><ref name="trybeforediepost-17767" /><ref name="thiscatpost-17768" /><ref name="dextools-17769" /><ref name="blocksecapp-17770" /><ref name="biznessexploiter-17771" /><ref name="tenarmoralerttwitter-17772" />

== About Standing On Bizness ==
"Standing on Bizness" is a $bizness token launched on the Base blockchain on November 20th. To join the community, you can connect through their Telegram and X/Twitter channels. The contract address for $bizness is 0xF3a605573B93Fd22496f471A88AE45F35C1df5A7.

The Standing On Bizness (@SOB_base) Twitter account is focused on promoting its $bizness token, which launched as the first tokenized belief coin from the toshimart.xyz platform. Their Twitter activity includes sharing updates about the token's availability on Uniswap, contract address, and a link to their Telegram group. They emphasize a "mean what you say, say what you mean" motto and encourage users to be part of the community, branding themselves as "standing ten toes down" on their business.

== The Reality ==
The smart contract lacked a reentrancy check in the "splitLock" function, allowing attackers to exploit it by withdrawing more tokens than intended before the locked amount was updated.

== What Happened ==
BIZNESS on base was hacked due to a reentrancy vulnerability in the "splitLock" function, resulting in a $16,000 loss.
{| class="wikitable"
|+Key Event Timeline - Standing on Bizness (BIZNESS) SplitLock Reentrancy Attack
!Date
!Event
!Description
|-
|November 20th, 2024 8:44:41 AM MST
|Token Launch On Base
|The Standing On Bizness token is first launched on the Base blockchain.
|-
|December 26th, 2024 6:28:00 PM MST
|This Cat Means Bizness
|A promotion on Twitter of a cat opening blinds.
|-
|December 27th, 2024 7:42:55 PM MST
|Base Exploit Transaction
|The token is exploited via the re-entrancy attack.
|-
|December 27th, 2024 9:08:00 PM MST
|TenArmor Tweet Posted
|TenArmor shares a tweet on their Twitter account about the exploit.
|-
|December 28th, 2024 2:53:00 PM MST
|The Price Of Winning Post
|A new promotion, to "[b]e an alpha Stand on $BIZNESS" with a video comparing "the price of winning" and "the bill from regret".
|-
|January 7th, 2025 6:30:00 PM MST
|Nick L Franklin Analysis
|Nick L Franklin publishes an analysis of the exploit reentrancy attack.
|}

== Technical Details ==
BIZNESS on base was hacked due to a reentrancy vulnerability in the "splitLock" function of its Locker contract. The function calls the "_feeHandler()" to send fees to the treasury and remaining funds to the user, but lacks a reentrancy check. This allows an attacker to exploit the vulnerability by triggering the "withdrawLock()" function before the locked amount is updated, enabling them to withdraw more tokens than intended. The total loss from the attack was approximately $16,000.

"The splitLock function in the Locker contract reduces the lock amount and creates a new lock after calling the _feeHandler function, which sends surplus ETH to msg.sender.

This creates an opportunity for reentrancy, allowing the attacker to call the withdrawLock function and withdraw tokens while simultaneously creating a new lock, due to the lock amount not being updated."

== Total Amount Lost ==
The hack resulted in a loss of approximately $16,000 worth of tokens due to the reentrancy vulnerability in the smart contract.

The total amount lost has been estimated at $16,000 USD.

== Immediate Reactions ==
The hack was not mentioned on the Twitter/X account. Promotions continued the next day, including a post about being "an alpha Stand on $BIZNESS" with a video comparing "the price of winning" and "the bill from regret".

== Ultimate Outcome ==
Some time later, the incident was covered by Nick L Franklin and included in the SlowMist list.

== Total Amount Recovered ==
The team does not appear to have acknowledged any exploit.

There do not appear to have been any funds recovered in this case.

== Ongoing Developments ==
What parts of this case are still remaining to be concluded?
== General Prevention Policies ==
Developers need to implement proper reentrancy protections to prevent similar exploits in the future.
== Individual Prevention Policies ==
{{Prevention:Individuals:Placeholder}}

{{Prevention:Individuals:End}}

== Platform Prevention Policies ==
{{Prevention:Platforms:Placeholder}}

{{Prevention:Platforms:End}}

== Regulatory Prevention Policies ==
{{Prevention:Regulators:Placeholder}}

{{Prevention:Regulators:End}}

== References ==
<references><ref name="exploittransaction-17760">[https://basescan.org/tx/0x984cb29cdb4e92e5899e9c94768f8a34047d0e1074f9c4109364e3682e488873 The Exploit Transaction] (Accessed Jan 31, 2025)</ref>

<ref name="0xnicklfranklintwitter-17761">[https://twitter.com/0xNickLFranklin/status/1876803706810683849 @0xNickLFranklin Twitter] (Accessed Jan 31, 2025)</ref>

<ref name="nickfranklin-17762">[https://nickfranklin.site/2025/01/08/bizness-hacked/ BIZNESS hacked. – Defi hack analysis] (Accessed Jan 31, 2025)</ref>

<ref name="mizar-17763">[https://mizar.com/token-sniffer/token/standing-on-bizness Standing on Bizness price today, BIZNESS to USD live price, marketcap and chart | Mizar] (Accessed Jan 31, 2025)</ref>

<ref name="biznesscontract-17764">[https://basescan.org/address/0xf3a605573b93fd22496f471a88ae45f35c1df5a7 The Bizness Token Contract On Base] (Accessed Jan 31, 2025)</ref>

<ref name="biznesscreation-17765">[https://basescan.org/tx/0x9815bb4a4246d0f0651cfdfe7ef611021a4ec8ca65957d9906a6e9581749f6ea Transaction Creating Bizness Token] (Accessed Jan 31, 2025)</ref>

<ref name="biznesshomepage-17766">[https://standingonbiz.meme/ Standing On Bizness Homepage] (Accessed Jan 31, 2025)</ref>

<ref name="trybeforediepost-17767">[https://twitter.com/SOB_base/status/1873125094157062629 Bizness - "Try before you die or always wonder... What if?? Be an alpha Stand on $BIZNESS" - Twitter] (Accessed Jan 31, 2025)</ref>

<ref name="thiscatpost-17768">[https://twitter.com/SOB_base/status/1872454405448221124 Bizness - "This cat is Standing on $BIZNESS" - Twitter] (Accessed Jan 31, 2025)</ref>

<ref name="dextools-17769">[https://www.dextools.io/app/en/base/pair-explorer/0x599245fafc9a55e3d2f02176a65d9cd302023c61 https://www.dextools.io/app/en/base/pair-explorer/0x599245fafc9a55e3d2f02176a65d9cd302023c61] (Accessed Jan 31, 2025)</ref>

<ref name="blocksecapp-17770">[https://app.blocksec.com/explorer/tx/base/0x984cb29cdb4e92e5899e9c94768f8a34047d0e1074f9c4109364e3682e488873 0x984cb29cdb4e92e589 | Phalcon Explorer] (Accessed Jan 31, 2025)</ref>

<ref name="biznessexploiter-17771">[https://basescan.org/address/0x3cc1edd8a25c912fcb51d7e61893e737c48cd98d Bizness Exploiter Address] (Accessed Jan 31, 2025)</ref>

<ref name="tenarmoralerttwitter-17772">[https://twitter.com/TenArmorAlert/status/1872857132363645205 @TenArmorAlert Twitter] (Accessed Jan 31, 2025)</ref></references>

Standing on Bizness (BIZNESS) SplitLock Reentrancy Attack - Revision history