Normie Smart Contract Tax Vulnerability

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from an original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

Normie Logo/Homepage

Normies NFT is a NFT project with a goal of engaging millions of normal people onto the Base blockchain. Unfortunately, the project had a vulnerability which allowed an individual with the same balance as the team deployer wallet to execute special elevated permissions. The hacker later offered to return 90% of the funds if the project agreed to relaunch and distribute funds to affected users.[1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16]

About Normies

"ON A MISSION TO ONBOARD THE NEXT 1,000,000 $NORMIES TO BASE CHAIN."

"We are devoted to sharing our message to all the normies, and that's what the community expects from you, to help us transmit the message. May our vision be spread in a warm and human way, normie to normie."

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

  • When the service was actually started (if different than the "official story").
  • Who actually ran a service and their own personal history.
  • How the service was structured behind the scenes. (For example, there was no "trading bot".)
  • Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.

Key Event Timeline - Normie Smart Contract Tax Vulnerability
Date Event Description
May 25th, 2024 9:41:53 PM MDT Attack Transaction The attack transaction as later analyzed by CertiK.
May 25th, 2024 11:48:00 PM MDT Normies Tweet Posted The Normies team posts a tweet update to highlight their commitment to use 500 ETH to make the situation right.
May 26th, 2024 1:56:15 AM MDT Negotation From Hacker The exploiter reaches out on the blockchain to offer a 90% return of funds if the project will agree to relaunch and reimburse holders.
May 27th, 2024 1:33:00 AM MDT CoinDesk Article A CoinDesk article is published about the exploit.
May 27th, 2024 2:18:07 PM MDT CryptoPotato Article CryptoPotato reports on the attacker contacting the Normies team to negotiate a 90% return of funds if the project is guaranteed to relaunch.

Technical Details

"According to community feedback, the Base ecosystem's meme coin NORMIE has been attacked. The attacker exploited a design flaw in the NORMIE token's cross-chain bridge, manipulating the price on the Base Chain using flash loans. Since transactions with NORMIE on the Base Chain incur taxes, these taxes are automatically directed to a wallet controlled by the project team. The attacker injected a large amount of funds into this wallet via flash loans, significantly diluting the token's supply and causing a flash crash in the price."

"The vulnerability here is that any address receiving the same number of tokens as the deployer’s balance is added as a premarket_user. Any address in this list triggers a mint of NORMIE tokens to the contract itself."

"The attacker began by swapping 171,955 NORMIE tokens for 2 WETH. Later, they swapped 5 million NORMIE. This amount corresponded with the balance of the deployer account. By swapping an amount of tokens equal to the balance of the deployer, the address of the attack contract was added to the _premarket_user list, which enabled further manipulation."

"Next, the attacker flash-loaned 11,333,141 NORMIE tokens and swapped 9,066,513 for 65.97 WETH. This exchange was part of a strategy to manipulate the token supply and consequently, value. Repeated transfers of 2,266,628 NORMIE were made to the pair, followed by a calls to the skim() function to withdraw them."

"Since the attack contract was recognized as a premarket_user, the token contract added NORMIE tokens its own address (address(this))."

"When the balance exceeds a threshold, the swapAndLiquify mechanism is triggered to sell 4.65 million newly minted NORMIE each time."

"Finally, the attacker swapped 0.5 WETH for approximately 11,040,494 NORMIE at a lower price, which enable them to repay the flash loan of NORMIE tokens."

Total Amount Lost

SlowMist reports $490k.

The total amount lost has been estimated at $490,000 USD.

Immediate Reactions

"PANews reported on May 26 that according to community user feedback, the price of NORMIE, the Meme coin of the Base ecosystem, plummeted by 87.3% due to a flash loan attack and is now reported at $0.005. The attacker took advantage of the design flaws of the NORMIE token cross-chain bridge to manipulate the price on the Base Chain through flash loans. Since NORMIE transactions on the Base Chain will be taxed, the tax will automatically go to the wallet controlled by the project party. The attacker injected a large amount of funds into the wallet through flash loans, thereby greatly diluting the token supply and causing the price to crash. Some users said that NORMIE has a vulnerability that allows attackers to mint new tokens. The total supply has now reached 214% of the theoretical maximum supply.

At present, the NORMIE team said that there are more than 500 ETH in its deployment wallet, which will be used to solve this problem. The team is actively contacting key partners to seek solutions and calls on users not to buy NORMIE tokens until further confirmation. The NORMIE team said that they are still deciding whether to restart or fork the project and will provide more updates as soon as possible."

Ultimate Outcome

"In an on-chain message to Normie’s deployer address on May 26, the hacker offered to return 90% of the stolen NORMIE tokens, stipulating that the remaining 10% be kept as a bug bounty with no reprisals.

The hacker also demanded that the stolen funds, along with the 600 ETH worth approximately $3,900 in the team’s dev wallet, be used to launch a new token to reimburse NORMIE holders.

“We will have to re-launch, yes,” stated Normie’s team via a newly established X account following the suspension of their main one. “That will come after we get our main Twitter account back and after we get the funds from the exploiter,” Normie added. However, the temporary account was also suspended shortly after that.

Meanwhile, the hacker wouldn’t compromise on their strict terms, insisting that a token relaunch must precede the return of funds. “The dev wallet made significantly more than I did during this exploit, and I have no other way to ensure that those funds are used appropriately,” they stated in another on-chain message."

A bounty of $49,000 USD was paid for the discovery.

Total Amount Recovered

The total amount recovered has been estimated at $441,000 USD.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. SlowMist Hacked - SlowMist Zone (Jun 10, 2024)
  2. Base生态Meme币NORMIE因遭受攻击价格暴跌,团队称其部署钱包中有超500 ETH将用于解决此问题 - PANews (Jun 12, 2024)
  3. @NormieBase Twitter (Jun 12, 2024)
  4. normie (Jun 12, 2024)
  5. Normie Token Price Dumps 99% as Attacker Calls Meme Coin’s Tax Contract a 'Copy-Paste' Job (Jun 12, 2024)
  6. Exploit in Normie Coin caused a rug pull using Flashloan Attack - Crypto Vibe (Jun 12, 2024)
  7. https://cryptonews.com/news/normie-team-negotiates-90-fund-return-after-41-7m-market-cap-plunge.htm (Jun 12, 2024)
  8. https://beincrypto.com/normie-meme-coin-base-exploit/ (Jun 12, 2024)
  9. Base Transaction Hash (Txhash) Details | BaseScan (Jun 12, 2024)
  10. @quickintel_ai Twitter (Jun 12, 2024)
  11. @lookonchain Twitter (Jun 12, 2024)
  12. Normie Token Plummets 99% After Smart Contract Exploit (Jun 12, 2024)
  13. https://www.certik.com/resources/blog/normie-incident-analysis (Jun 12, 2024)
  14. Base Transaction Hash (Txhash) Details | BaseScan (Jun 12, 2024)
  15. https://cryptonews.com/news/normie-memecoin-project-fires-intern-over-offensive-video-apologizes-for-content.htm (Jun 12, 2024)
  16. Normie: Deployer | Address 0xd8056b0f8aa2126a8db6f0b3109fe9127617beb2 | BaseScan (Jun 12, 2024)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Normie_Smart_Contract_Tax_Vulnerability&oldid=6026"