Fire Token Burn Mechanism Exploited
Notice: This page is a freshly imported case study from an original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!
Fire Token is a smart contract without any known social media presence or website. The smart contract was implemented and exploited on October 1st, immediately after launch. This was due to an error in the burn mechanism of the smart contract. There were 9 ETH lost, with a value of $24k.[1][2][3][4][5]
About Fire Token
Fire Token is a smart contract without any known social media presence or website. It is unrelated to the firetoken.ca website. The smart contract address is 0x18775475f50557b96c63e8bbf7d75bfeb412082d.
The Reality
This sections is included if a case involved deception or information that was unknown at the time. Examples include:
- When the service was actually started (if different than the "official story").
- Who actually ran a service and their own personal history.
- How the service was structured behind the scenes. (For example, there was no "trading bot".)
- Details of what audits reported and how vulnerabilities were missed during auditing.
What Happened
The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.
| Date | Event | Description |
|---|---|---|
| October 1st, 2024 2:13:23 AM MDT | Ethereum Blockchain Transaction | Blockchain transaction exploiting on the ethereum blockchain. |
| October 1st, 2024 5:55:00 AM MDT | CertiK Alert Tweet Tweeted | CertiK posts a tweet about the vulnerability exploit. |
| October 7th, 2024 2:51:13 AM MDT | SolidityScan Analysis Published | SolidityScan publishes an analysis of the exploit. |
Technical Details
"The FireToken contract implemented a burning mechanism that removed tokens from the circulating supply during transfers. When tokens were transferred to the Uniswap liquidity pool, the `_transfer()` function reduced the pool’s balance by transferring a portion of the tokens to the `DEAD_ADDRESS` (burn address). Immediately after the transfer, the function called `sync()` to update the pool’s reserves."
"Whenever a transfer was made to the Uniswap pair, the `_transfer()` function burned some of the tokens, decreasing the number of FireTokens in the pool. According to Uniswap’s constant product formula (x * y = k), reducing the FireToken reserves in the pool (while keeping the ETH reserves constant) caused the perceived price of FireTokens to drop. The formula implies that as one asset’s reserve (FireToken) decreases, the other asset (ETH) appears more valuable, leading to a price discrepancy."
"The attacker exploited this by repeatedly transferring FireTokens to the Uniswap liquidity pool, artificially reducing the pool’s FireToken reserves with each transfer. After each burn, the attacker executed swaps, acquiring small amounts of ETH for a disproportionately large number of FireTokens, as the artificially low reserves made the price appear lower than it was."
"By continuously reducing the FireToken reserves through this burning and syncing process, the attacker manipulated the price multiple times, accumulating approximately $24,000 in profit shortly after the contract’s launch"
Total Amount Lost
The total amount lost has been estimated at $24,000 USD.
How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?
Immediate Reactions
"The Fire ($FIRE) token on Ethereum was exploited just 24 seconds after its launch, resulting in the theft of 9 ETH (approximately $24,000). The root cause was related to the token burn mechanism within the transfer() function."
Ultimate Outcome
What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?
Total Amount Recovered
There do not appear to have been any funds recovered in this case.
What funds were recovered? What funds were reimbursed for those affected users?
Ongoing Developments
What parts of this case are still remaining to be concluded?
Individual Prevention Policies
No specific policies for individual prevention have yet been identified in this case.
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
Policies for platforms to take to prevent this situation have not yet been selected in this case.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
No specific regulatory policies have yet been identified in this case.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ SlowMist Hacked - SlowMist Zone (Accessed Nov 4, 2024)
- ↑ Ethereum Transaction Hash (Txhash) Details | Etherscan (Accessed Nov 4, 2024)
- ↑ Fire Token Hack Analysis. Overview: | by Shashank | Oct, 2024 | SolidityScan (Accessed Nov 4, 2024)
- ↑ Fire (FIRE) Token Tracker | Etherscan (Accessed Nov 4, 2024)
- ↑ @CertiKAlert Twitter (Accessed Nov 4, 2024)