Sorra Contract Flawed Reward Logic Exploited

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Revision as of 17:32, 7 February 2025 by Azoundria (talk | contribs) (Created page with "{{Imported Case Study With About|source=https://www.quadrigainitiative.com/casestudy/sorracontractflawedrewardlogicexploited.php}} {{Unattributed Sources}} thumb|Sorra.io Logo/Homepage<ref name="etherscan-17910" /><ref name="coingecko-17911" /><ref name="sorraarchive-17912" /><ref name="sorraarchive-17913" /><ref name="sorraarchive-17914" /><ref name="sorra-17915" /><ref name="coincheckup-17916" /><ref name="coingecko-17917" /><ref name="coinmonksme...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from an original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Sorra.io Logo/Homepage

[1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16][17][18][19][20][21][22][23][24][25][26][27][28]

About Sorra

Sorra is a decentralized platform transforming the future of hospitality and real estate investment. It offers a seamless ecosystem for both travelers and hosts, allowing property owners to earn rewards by listing properties, while guests benefit from affordable stays and earn $SOR tokens. Sorra features smart contracts to automate rental agreements, bookings, and payouts, and hosts can stake $SOR for passive income. The platform also introduces Sorra Estates, enabling fractional real estate ownership through tokenization. With plans for further expansion, Sorra aims to revolutionize short-term rentals and property investment.

The Reality

The getPendingRewards() function in the Sorra smart contract failed to track and deduct previously distributed rewards, enabling repeated withdrawals of the same rewards.

What Happened

"Sorra was suspected to have been attacked on ETH, resulting in an approximate loss of $43K."

Key Event Timeline - Sorra Contract Flawed Reward Logic Exploited
Date Event Description
January 4th, 2025 4:59:23 AM MST Sorra Contract Exploited The Sorra smart contract is exploited.

Technical Details

The getPendingRewards() function in the Sorra smart contract failed to track and deduct previously distributed rewards, enabling repeated withdrawals of the same rewards.

This issue prevented the contract from properly tracking and deducting previously distributed rewards, allowing the attacker to repeatedly withdraw the same rewards. The attacker, who had deposited 122,868 SOR tokens on December 21, 2024, took advantage of this flaw, draining a total of 3,071,721 SOR tokens and making an approximate profit of $41,000.

The exploit unfolded when the attacker, after the 14-day lockup period, initiated the withdraw() function on January 4, 2025. This function was designed to handle the withdrawal of staked tokens along with any pending rewards. However, due to the flaw, the system did not update the rewards balance correctly, enabling the attacker to call the withdraw() function multiple times with minimal token amounts. As a result, the attacker managed to drain the tokens and convert them into profits.

The root cause of this exploit was the failure of the getPendingRewards() function to account for the userRewardsDistributed[_msgSender()] value. This oversight allowed rewards to be double-counted and withdrawn multiple times.

Total Amount Lost

Loss estimates have ranged between $41k and 43k.

The total amount lost has been estimated at $43,000 USD.

Immediate Reactions

How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?

Ultimate Outcome

Sorra appears to have deleted their website and social media following the exploit.

Total Amount Recovered

There do not appear to have been any funds recovered in this case.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. Ethereum Transaction Hash (Txhash) Details | Etherscan (Accessed Feb 7, 2025)
  2. https://www.coingecko.com/en/coins/sorra (Accessed Feb 7, 2025)
  3. Sorra (Accessed Feb 7, 2025)
  4. Sorra (Accessed Feb 7, 2025)
  5. Sorra (Accessed Feb 7, 2025)
  6. https://www.sorra.io/lander (Accessed Feb 7, 2025)
  7. Cryptocurrency Prices, Charts & Crypto Market Cap - CoinCheckup (Accessed Feb 7, 2025)
  8. https://www.coingecko.com/en/coins/sorra/usd (Accessed Feb 7, 2025)
  9. Sorra Finance Staking Exploit 41 000 Drained In Flawed Reward Logic (Accessed Feb 7, 2025)
  10. Cryptocurrency Monthly Report: In January, the security loss of funds was about 98 million US dollars, a significant decrease both year-on-year and month-on-month - PANews (Accessed Feb 7, 2025)
  11. Web3 Hacks Database: Major Hacks & Scams Analyzed (Accessed Feb 7, 2025)
  12. https://www.theblock.co/post/337976/january-2025-crypto-hacks (Accessed Feb 7, 2025)
  13. Sorrastaking Hack Analysis (Accessed Feb 7, 2025)
  14. @sorra_io Twitter (Accessed Feb 7, 2025)
  15. @TenArmorAlert Twitter (Accessed Feb 7, 2025)
  16. @TikkalaResearch Twitter (Accessed Feb 7, 2025)
  17. @Orbler1 Twitter (Accessed Feb 7, 2025)
  18. @CoincreateTeam Twitter (Accessed Feb 7, 2025)
  19. @KukayaLabs Twitter (Accessed Feb 7, 2025)
  20. @KukayaLabs Twitter (Accessed Feb 7, 2025)
  21. @Ellioticianist Twitter (Accessed Feb 7, 2025)
  22. @KukayaLabs Twitter (Accessed Feb 7, 2025)
  23. @Tomtalkofficial Twitter (Accessed Feb 7, 2025)
  24. @TryRingAI Twitter (Accessed Feb 7, 2025)
  25. @Maaziemeka Twitter (Accessed Feb 7, 2025)
  26. @Mar_Ko369 Twitter (Accessed Feb 7, 2025)
  27. @Ellioticianist Twitter (Accessed Feb 7, 2025)
  28. @_AlesandroD1st Twitter (Accessed Feb 7, 2025)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Sorra_Contract_Flawed_Reward_Logic_Exploited&oldid=6529"