Caterpillar Token Flash Loan Smart Contract Drain
Notice: This page is a freshly imported case study from an original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!
Caterpillar Token (CUT) runs through a smart contract on the Binance Smart Chain, which was first launched in July 2024. The project does not appear to have a website or other online presence. There is an account referenced for CUT2024CUT, however there is no evidence that this Twitter account ever existed. On September 10th, the smart contract was exploited via a Flash loan, allowing the exploiter to profit by a total of $1.4m USD. There is no evidence of any team response, investigation, or attempt to recover funds.[1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16][17][18][19][20][21][22][23]
About Caterpillar Token
Caterpillar Token (CUT) runs through a smart contract on the Binance Smart Chain, which was first launched in July 2024.
The Reality
This sections is included if a case involved deception or information that was unknown at the time. Examples include:
- When the service was actually started (if different than the "official story").
- Who actually ran a service and their own personal history.
- How the service was structured behind the scenes. (For example, there was no "trading bot".)
- Details of what audits reported and how vulnerabilities were missed during auditing.
What Happened
"On September 10th, 2024, Caterpillar Coin ($CUT) was hit by a flashloan attack, resulting in a loss of $1.4 million USD."
| Date | Event | Description |
|---|---|---|
| July 26th, 2024 4:14:56 AM MDT | Caterpillar Coin Launched | The smart contract for Caterpillar Coin is first created on the Binance Smart Chain. |
| September 10th, 2024 6:40:52 AM MDT | Blockchain Exploit Transaction | The timestamp of the transaction on the Binance Smart Chain which is credited as the exploit. |
| September 10th, 2024 4:00:00 PM MDT | CertiK Exploit Analysis | CertiK publishes an analysis of the exploit... |
| September 13th, 2024 12:51:03 PM MDT | Coinpedia Weekly Report | Coinpedia publishes a weekly report which includes the Caterpillar Coin hack. |
| September 13th, 2024 12:51:04 PM MDT | Coinlive Article Title Mention | The Caterpillar Coin incident is mentioned in the title for a Coinlive article, however there is no mention in the body of the article. |
| September 14th, 2024 2:36:04 AM MDT | Verichains Blog Analysis | Web3 security firm Verichains publishes an analysis of the incident/exploit on their blog. |
| September 16th, 2024 1:39:05 AM MDT | Shashank Medium Analysis Post | Shashank from SolidityScan posted an article on Medium which walked through the Caterpillar Coin exploit in some level of detail. |
| September 17th, 2024 12:36:00 AM MDT | PandaLy Weekly Report Inclusion | PandaLy includes the incident in their weekly report recap. |
| September 17th, 2024 4:27:07 AM MDT | Yogendra Singh Diwan Posts | A researcher named Yogendra Singh Diwan posts an article including an analysis of the incident on LinkedIn. While this article includes a logo for a CUT token, this logo is for an unrelated Carbon Utility Token project. |
| September 17th, 2024 11:12:02 AM MDT | Blockthreat Week 37 | The incident is included as premium content inside the Blockthreat Week 37 news article. |
| October 3rd, 2024 3:00:33 AM MDT | Halborn Article Inclusion | The Caterpillar coin incident is included in one paragraph of a "Month In Review" summary of hacks which happened in the month of September, published by Halborn. |
| October 6th, 2024 5:26:00 PM MDT | CryptoPolitan Article Mention | The incident is mentioned briefly in an article written by Cryptopolitan about how much hacks have increased in September. This is reposted by CoinStats. |
| October 7th, 2024 11:26:53 AM MDT | Brief Mention By The Street | The Street shares a brief mention of the Caterpillar Coin flash loan hack in their "Technical Weaknesses in Smart Contracts Merit Targeted Security Solutions" article. |
Technical Details
"Caterpillar Coin suffered a flashloan attack resulting in a loss of ~$1.4M and causing a 99% slippage on the token. The attack exploited vulnerabilities in the "price protection mechanisms", which led to the manipulation of token reserves and rewards."
"The attack appears to have followed a straightforward pattern: the attacker used a flash loan to borrow USDT from the USDT-WBNB pair, then ran a loop to create several contracts with the main attack logic running in the constructor. Before creating each contract, the exploiter transferred a large amount of USDT for the logic in the constructor to utilize."
"1. The attacker took out a 4.5 million USDT flashloan, swapped some for $CUT tokens, and added liquidity to the USDT-CUT pool. 2. Due to a flaw in the reward calculation process, the attacker was able to manipulate the token's reserves, significantly increasing their rewards. 3. By repeating this process, the attacker drained the liquidity pool, repaid the loan, and walked away with around $1.4M USD in profits."
Total Amount Lost
The calculation is vulnerable to price manipulation and the exploiter abused this in order to gain extra $CUT tokens, sold them and gained ~$1.4m from the BUSD-CUT pancake pair.
The total amount lost has been estimated at $1,400,000 USD.
Immediate Reactions
How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?
Ultimate Outcome
The calculation is vulnerable to price manipulation and the exploiter abused this in order to gain extra $CUT tokens, sold them and gained ~$1.4m from the BUSD-CUT pancake pair.
Total Amount Recovered
There do not appear to have been any funds recovered in this case.
What funds were recovered? What funds were reimbursed for those affected users?
Ongoing Developments
What parts of this case are still remaining to be concluded?
Individual Prevention Policies
No specific policies for individual prevention have yet been identified in this case.
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
Policies for platforms to take to prevent this situation have not yet been selected in this case.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
No specific regulatory policies have yet been identified in this case.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ BNB Smart Chain Transaction Hash (Txhash) Details | BscScan (Accessed Oct 16, 2024)
- ↑ https://www.thestreet.com/crypto/innovation/technical-weaknesses-in-smart-contracts-merit-targeted-security-solutions- (Accessed Oct 16, 2024)
- ↑ CoinStats - Crypto hacks explode 8x in just one month—$11... (Accessed Oct 16, 2024)
- ↑ https://www.cryptopolitan.com/crypto-hacks-rise-116m-stolen-in-september/ (Accessed Oct 16, 2024)
- ↑ Crypto Hacks Surge in September 2024: Over $120 Million Lost (Accessed Oct 16, 2024)
- ↑ Coinpedia Fintech News: Guest Post by CoinPedia News | CoinMarketCap (Accessed Oct 16, 2024)
- ↑ Crypto Hack Weekly Report: Indodax Heist, Caterpillar Coin Collapse, and Apple's Deepfake Incident (Accessed Oct 16, 2024)
- ↑ Over 20 Crypto Hacks in September 2024: Here’s How Much Was Stolen: Guest Post by CryptoPotato_News | CoinMarketCap (Accessed Oct 16, 2024)
- ↑ BEP20USDT | Address 0x7057f3b0f4d0649b428f0d8378a8a0e7d21d36a7 | BscScan (Accessed Oct 16, 2024)
- ↑ https://dexscreener.com/bsc/0x83681f67069a154815a0c6c2c97e2daca6ed3249 (Accessed Oct 16, 2024)
- ↑ CUT/USDT - CUT Price on Pancakeswap V2 (BSC) | GeckoTerminal (Accessed Oct 16, 2024)
- ↑ CUT/USDT Real-time On-chain PancakeSwap v2 (BSC) DEX Data (Accessed Oct 16, 2024)
- ↑ Cut Incident - Price Manipulation - by lifebow - Verichains (Accessed Oct 16, 2024)
- ↑ @CertiK_CN Twitter (Accessed Oct 16, 2024)
- ↑ @TenArmorAlert Twitter (Accessed Oct 16, 2024)
- ↑ @0xCommitAudits Twitter (Accessed Oct 16, 2024)
- ↑ @MetaTrustAlert Twitter (Accessed Oct 16, 2024)
- ↑ @EXVULSEC Twitter (Accessed Oct 16, 2024)
- ↑ Caterpillar Coin hit by flashloan attack | YOGENDRA SINGH DIWAN posted on the topic | LinkedIn (Accessed Oct 16, 2024)
- ↑ Crypto Hack Weekly Report: Indodax Heist, Caterpillar Coin Collapse, and Apple’s Deepfake Incident (Accessed Oct 16, 2024)
- ↑ Month in Review: Top DeFi Hacks of September 2024 (Accessed Oct 16, 2024)
- ↑ https://www.certik.com/resources/blog/caterpillar-coin-cut-token-incident-analysis (Accessed Oct 16, 2024)