Standing on Bizness (BIZNESS) SplitLock Reentrancy Attack
Notice: This page is a freshly imported case study from the original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. Please help restructure the content by moving information from the 'General Prevention' sections to other prevention sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!
"Standing on Bizness" launched the $bizness token on the Base blockchain on November 20th, 2024, with a focus on building a community through its Telegram and Twitter channels. The token, introduced as the first tokenized belief coin from toshimart.xyz, gained attention through updates about its availability on Uniswap, along with the contract address and community-building messages. However, the project's smart contract contained a vulnerability in the "splitLock" function, which lacked a reentrancy check, allowing an attacker to exploit the system and withdraw more tokens than intended. This flaw led to a $16,000 loss, but the incident was not mentioned on their Twitter account, and promotions continued post-hack. Despite coverage of the hack by Nick L. Franklin and inclusion in the SlowMist list, the team has not publicly acknowledged the exploit.[1][2][3][4][5][6][7][8][9][10][11][12][13]
About Standing On Bizness
"Standing on Bizness" is a $bizness token launched on the Base blockchain on November 20th. To join the community, you can connect through their Telegram and X/Twitter channels. The contract address for $bizness is 0xF3a605573B93Fd22496f471A88AE45F35C1df5A7.
The Standing On Bizness (@SOB_base) Twitter account is focused on promoting its $bizness token, which launched as the first tokenized belief coin from the toshimart.xyz platform. Their Twitter activity includes sharing updates about the token's availability on Uniswap, contract address, and a link to their Telegram group. They emphasize a "mean what you say, say what you mean" motto and encourage users to be part of the community, branding themselves as "standing ten toes down" on their business.
The Reality
The smart contract lacked a reentrancy check in the "splitLock" function, allowing attackers to exploit it by withdrawing more tokens than intended before the locked amount was updated.
What Happened
BIZNESS on base was hacked due to a reentrancy vulnerability in the "splitLock" function, resulting in a $16,000 loss.
| Date | Event | Description |
|---|---|---|
| November 20th, 2024 8:44:41 AM MST | Token Launch On Base | The Standing On Bizness token is first launched on the Base blockchain. |
| December 26th, 2024 6:28:00 PM MST | This Cat Means Bizness | A promotion on Twitter of a cat opening blinds. |
| December 27th, 2024 7:42:55 PM MST | Base Exploit Transaction | The token is exploited via the re-entrancy attack. |
| December 27th, 2024 9:08:00 PM MST | TenArmor Tweet Posted | TenArmor shares a tweet on their Twitter account about the exploit. |
| December 28th, 2024 2:53:00 PM MST | The Price Of Winning Post | A new promotion, to "[b]e an alpha Stand on $BIZNESS" with a video comparing "the price of winning" and "the bill from regret". |
| January 7th, 2025 6:30:00 PM MST | Nick L Franklin Analysis | Nick L Franklin publishes an analysis of the exploit reentrancy attack. |
Technical Details
BIZNESS on base was hacked due to a reentrancy vulnerability in the "splitLock" function of its Locker contract. The function calls the "_feeHandler()" to send fees to the treasury and remaining funds to the user, but lacks a reentrancy check. This allows an attacker to exploit the vulnerability by triggering the "withdrawLock()" function before the locked amount is updated, enabling them to withdraw more tokens than intended. The total loss from the attack was approximately $16,000.
"The splitLock function in the Locker contract reduces the lock amount and creates a new lock after calling the _feeHandler function, which sends surplus ETH to msg.sender.
This creates an opportunity for reentrancy, allowing the attacker to call the withdrawLock function and withdraw tokens while simultaneously creating a new lock, due to the lock amount not being updated."
Total Amount Lost
The hack resulted in a loss of approximately $16,000 worth of tokens due to the reentrancy vulnerability in the smart contract.
The total amount lost has been estimated at $16,000 USD.
Immediate Reactions
The hack was not mentioned on the Twitter/X account. Promotions continued the next day, including a post about being "an alpha Stand on $BIZNESS" with a video comparing "the price of winning" and "the bill from regret".
Ultimate Outcome
Some time later, the incident was covered by Nick L Franklin and included in the SlowMist list.
Total Amount Recovered
The team does not appear to have acknowledged any exploit.
There do not appear to have been any funds recovered in this case.
Ongoing Developments
What parts of this case are still remaining to be concluded?
General Prevention Policies
Developers need to implement proper reentrancy protections to prevent similar exploits in the future.
Individual Prevention Policies
No specific policies for individual prevention have yet been identified in this case.
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
Policies for platforms to take to prevent this situation have not yet been selected in this case.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
No specific regulatory policies have yet been identified in this case.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ The Exploit Transaction (Accessed Jan 31, 2025)
- ↑ @0xNickLFranklin Twitter (Accessed Jan 31, 2025)
- ↑ BIZNESS hacked. – Defi hack analysis (Accessed Jan 31, 2025)
- ↑ Standing on Bizness price today, BIZNESS to USD live price, marketcap and chart | Mizar (Accessed Jan 31, 2025)
- ↑ The Bizness Token Contract On Base (Accessed Jan 31, 2025)
- ↑ Transaction Creating Bizness Token (Accessed Jan 31, 2025)
- ↑ Standing On Bizness Homepage (Accessed Jan 31, 2025)
- ↑ Bizness - "Try before you die or always wonder... What if?? Be an alpha Stand on $BIZNESS" - Twitter (Accessed Jan 31, 2025)
- ↑ Bizness - "This cat is Standing on $BIZNESS" - Twitter (Accessed Jan 31, 2025)
- ↑ https://www.dextools.io/app/en/base/pair-explorer/0x599245fafc9a55e3d2f02176a65d9cd302023c61 (Accessed Jan 31, 2025)
- ↑ 0x984cb29cdb4e92e589 | Phalcon Explorer (Accessed Jan 31, 2025)
- ↑ Bizness Exploiter Address (Accessed Jan 31, 2025)
- ↑ @TenArmorAlert Twitter (Accessed Jan 31, 2025)