Mosca Exit Program Double Withdrawal Exploit 1
Notice: This page is a freshly imported case study from an original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!
The Mosca contract, launched on the Binance Smart Chain (BSC) on January 4th, is a decentralized subscription and referral system that supports multiple tokens, including USDT, USDC, and a native Mosca token. It offers two subscription tiers, Standard and Enterprise, with higher rewards for enterprise users. However, a flaw in the exitProgram() function allowed attackers to exploit improper state updates, enabling double withdrawals. The bug left user.balanceUSDT and user.balanceUSDC unchanged after withdrawals, allowing attackers to manipulate balances and withdraw larger amounts. This vulnerability was exploited by UniLend Exploiter 2, resulting in reported losses of $19.5k.[1][2][3][4][5][6][7][8][9][10][11]
About Mosca
The Mosca contract appears to be a decentralized subscription and referral-based system deployed on the Binance Smart Chain (BSC) starting January 4th. It supports multiple tokens, including USDT, USDC, and a native Mosca token. The contract enables users to join a subscription program, participate in a multi-level referral system, and earn rewards based on network activity. It offers two subscription tiers: Standard and Enterprise, with higher rewards and benefits for enterprise users.
The Reality
This sections is included if a case involved deception or information that was unknown at the time. Examples include:
- When the service was actually started (if different than the "official story").
- Who actually ran a service and their own personal history.
- How the service was structured behind the scenes. (For example, there was no "trading bot".)
- Details of what audits reported and how vulnerabilities were missed during auditing.
What Happened
"Mosca was reportedly attacked on BSC, resulting in an approximate loss of $19,500."
| Date | Event | Description |
|---|---|---|
| January 4th, 2025 1:41:11 PM MST | Mosca Smart Contract Launch | The Mosca smart contract is first launched on BSC. |
| January 5th, 2025 10:22:49 PM MST | Theft Transaction On BSC | The first exploit transaction occurs on the Binance Smart Chain. |
| January 5th, 2025 10:44:00 PM MST | TenArmorAlert Posts About Exploit | TenArmorAlert posts about the exploit, along with details of the root cause. "Root cause appears to be in the exitProgram() call, the user.balanceUSDT & user.balanceUSDC are not reset correctly, enabling double withdrawal." |
| January 5th, 2025 11:40:00 PM MST | SlowMist Reports On Incident | SlowMist |
| January 7th, 2025 6:10:00 AM MST | Tweet Post By @lmanuel | Twitter/X user @lmanualm reports "[p]otential suspicious activity". |
| January 7th, 2025 9:42:00 AM MST | 0xCommit Audits Post Made | 0xCommits makes a post which appears to summarize only that there was a high level exploit. |
| January 12th, 2025 6:52:21 PM MST | Verichain Publishes Blog Post | Verichain publishes a detailed breakdown of the exploit. |
| January 12th, 2025 11:00:03 PM MST | Second BSC Theft Transaction | The vulnerability is exploited a second time in the Mocha smart contact. |
| January 13th, 2025 12:04:00 AM MST | TenArmor Posts Second Attack | TenArmor posts a second attack, including additional detail on the cause. |
| January 14th, 2025 7:17:53 AM MST | Substack Vestra Article | Olympix publishes a description of the first exploit with additional details. |
| January 23rd, 2025 12:15:12 AM MST | MaanVader Article Published | MaanVader publishes a Medium article with even more details of the exploit. |
Technical Details
"Improper state updates in the exitProgram() function allowed attackers to manipulate balances."
"Root cause appears to be in the exitProgram() call, the user.balanceUSDT & user.balanceUSDC are not reset correctly, enabling double withdrawal."
"The join() function in the Mosca contract appears to have a logic flaw, incorrectly adding a diff to the deposited amount. A strange logic!
This flaw enabled the attacker to acquire an unusually large user.balance."
"The root cause of the exploit was improper state updates in the exitProgram function. The withdrawAll() function calculated the withdrawal amount as the sum of user.balance, user.balanceUSDT, and user.balanceUSDC. However, only user.balance was reset to zero after the withdrawal, leaving user.balanceUSDT and user.balanceUSDC unchanged. The attacker manipulated this flaw by first calling the buy() function to increase their user.balanceUSDC. Next, they used the join() function to add their address to the rewardQueue. Finally, they withdrew funds using the exitProgram() function, leveraging the incomplete state reset."
This attack appears to be done by UniLend Exploiter 2.
Total Amount Lost
Losses here are widely reported as $19.5k.
The total amount lost has been estimated at $20,000 USD.
Immediate Reactions
How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?
Ultimate Outcome
What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?
Total Amount Recovered
There do not appear to have been any funds recovered in this case.
What funds were recovered? What funds were reimbursed for those affected users?
Ongoing Developments
What parts of this case are still remaining to be concluded?
Individual Prevention Policies
No specific policies for individual prevention have yet been identified in this case.
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
Policies for platforms to take to prevent this situation have not yet been selected in this case.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
No specific regulatory policies have yet been identified in this case.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ @0xCommitAudits Twitter (Accessed Feb 11, 2025)
- ↑ @Olympix_ai Twitter (Accessed Feb 11, 2025)
- ↑ @lmanualm Twitter (Accessed Feb 11, 2025)
- ↑ BNB Smart Chain Transaction Hash (Txhash) Details | BscScan (Accessed Feb 11, 2025)
- ↑ @bennytope00 Twitter (Accessed Feb 11, 2025)
- ↑ Mosca Smart Contract Launch (Accessed Feb 11, 2025)
- ↑ @SlowMist_Team Twitter (Accessed Feb 11, 2025)
- ↑ @TenArmorAlert Twitter (Accessed Feb 11, 2025)
- ↑ Vestra Targeted in $500K Hack - Olympix Newsletter (Accessed Feb 11, 2025)
- ↑ Mosca Hack Analysis $19.5K Stolen | by MaanVader | Jan, 2025 | Medium (Accessed Feb 11, 2025)
- ↑ Mosca Hack Analysis - by LCD - Verichains (Accessed Feb 11, 2025)