The Poolz project suffered an attack due to an arithmetic overflow vulnerability, resulting in a loss of approximately $665,000.

Recently, an attack on the Poolz project has drawn widespread attention from the cryptocurrency community. According to on-chain monitoring data, the attack occurred on March 15, 2023, involving the Ethereum, BNB Chain, and Polygon networks. The attacker exploited an arithmetic overflow vulnerability in the smart contract, successfully stealing a large amount of tokens, with a total value of approximately $665,000.

Attack Details

The attacker implemented this attack through the following steps:

1. First, a certain amount of MNZ tokens was exchanged on a decentralized exchange.

2. Subsequently, the CreateMassPools function in the Poolz contract was called. This function was supposed to allow users to create liquidity pools in bulk and provide initial liquidity, but there is a serious vulnerability in it.

3. The issue lies in the getArraySum function. This function is used to calculate the initial liquidity amount provided by the user, but it fails to properly handle integer overflow situations.

4. The attacker cleverly constructed the input parameters, causing the _StartAmount array to contain numbers exceeding the maximum value of uint256. This resulted in an overflow of the accumulation result, and the final return value was 1.

5. Since the contract uses the original value of _StartAmount when recording the pool attributes, rather than the actual number of tokens transferred in, an attacker only needs to transfer 1 token to create a pool with liquidity far exceeding the actual amount.

6. Finally, the attacker completed the entire attack process by calling the withdraw function to extract a large amount of unauthorized tokens.

Stolen Assets

This attack resulted in losses for multiple tokens, including but not limited to:

• 2,805,805 MEE
• 525,134 ESNC
• 774,997 DON
• 2,007,504,238 ASW
• 6,510,689 KMON
• 2,521,065 POOLZ
• 35,976,107 DCD
• 760,845 PORTX

The attacker has exchanged some of the stolen tokens for BNB, but as of the time of reporting, these funds have not yet been transferred out of the attacker's address.

Prevention Suggestions

To prevent similar arithmetic overflow vulnerabilities, experts recommend taking the following measures:

1. Use a newer version of the Solidity compiler, which automatically performs overflow checks during the compilation process.

2. For projects using older versions of Solidity, it is recommended to introduce OpenZeppelin's SafeMath library to handle integer operations, thereby avoiding overflow issues.

3. Conduct a comprehensive code audit, with particular attention to the parts involving large number calculations.

4. Implement strict input validation to ensure that the parameters provided by users are within a reasonable range.

5. Consider adding security mechanisms such as multi-signature or time locks in key operations.

This incident once again highlights the importance of smart contract security, reminding developers and project teams to remain vigilant and continuously improve code security. At the same time, it also reminds users to be especially cautious when interacting with decentralized finance projects, particularly when participating in newly launched or inadequately audited projects.