Full Report
The Ocean Life token on BSC was hacked. Ocean Life token is a deflationary token. This means that over time the token will disappear. Why? With less supply comes more demand. For more on Deflationary tokens, read understanding-deflationary-tokens-and-their-benefits. The balanceOf mapping is normally obvious. With deflationary tokens, this is dynamic and calculated based upon the supply. How does this removal of assets occur? The function _reflectFee() takes a small fee every time that a call to transfer() is made by sending it to charity and a few other places. The totalSupply() variable _tTotal is subtracted from and some internal accounting tracks the amount of funds now owned by the token. Control over the totalSupply or balanceOf is generally a bad idea. But why? Many locations calculate the price of a token in a pool based upon the amount of tokens available or the amount of tokens in a pool. By being able to burn() an arbitrary amount of tokens, we can manipulate the price of funds in a pool. Or can we? The deflationary token developers thought of this problem for AMMs. So, there is a denylist of addresses that are given their true balance instead of the dynamic balance. How did this go wrong then? The vulnerability in this contract isn't the dynamic supply... the PancakeSwap pool was NOT included in the denylist of addresses. This means that the theorized attack about manipulating the supply of Ocean Life tokens by making them more scarce is possible. This was misreported in a few places like here. In this attack, the attacker did a few things: Took out a large flash loan to get OLIFE tokens. Swapped with themselves continuously. This was done in order to force a large burn/destruction of tokens. Call sync() on Pancake swap to update the price in the pool. Transfer OLIFE tokens for BNB at the inflated rate to get much more BNB than should be possible. Overall, a super interesting vulnerability that is simply a configuration problem.
Analysis Summary
# Incident Report: Ocean Life (OLIFE) Supply Manipulation Exploit
## Executive Summary
The Ocean Life (OLIFE) token on the Binance Smart Chain (BSC) was exploited via a price manipulation attack stemming from a misconfigured deflationary mechanism. By leveraging flash loans and high-frequency self-swapping, the attacker artificially reduced the token supply in the PancakeSwap pool, leading to a 32 BNB loss and a 100% drop in token value.
## Incident Details
- **Discovery Date:** April 19, 2023
- **Incident Date:** April 19, 2023
- **Affected Organization:** Ocean Life (OLIFE)
- **Sector:** Decentralized Finance (DeFi)
- **Geography:** Global / Decentralized
## Timeline of Events
### Initial Access
- **Date/Time:** April 19, 2023
- **Vector:** Flash Loan and Smart Contract Vulnerability Exploitation.
- **Details:** The attacker utilized a flash loan to acquire a large quantity of OLIFE tokens to initiate the manipulation process.
### Lateral Movement
- **Continuous Swapping:** The attacker executed a series of automated "self-swaps." Because OLIFE is a deflationary token that burns a portion of each transaction via `_reflectFee()`, these rapid transfers forced a massive reduction in the global `totalSupply`.
- **Protocol Misconfiguration:** Critically, the PancakeSwap pair address was not included in the "denylist" (addresses excluded from dynamic balance calculations). This caused the pool's internal accounting to reflect a drastically lower token balance as the supply was burned.
### Data Exfiltration/Impact
- **Price Inflation:** The attacker called the `sync()` function on the PancakeSwap pool, forcing the Automated Market Maker (AMM) to recalculate the price based on the now-diminished token supply.
- **Drain:** With the price of OLIFE artificially inflated, the attacker swapped their remaining OLIFE tokens for 32 BNB.
### Detection & Response
- **Detection:** Detected by blockchain security monitors (MetaTrustAlert) following the collapse of the token price.
- **Response Actions:** Public alerts were issued; however, due to the nature of the exploit and the 100% price drop, the liquidity was effectively extracted before manual intervention was possible.
## Attack Methodology
- **Initial Access:** Smart contract exploit facilitated by flash loans.
- **Persistence:** N/A (Atomic transaction exploit).
- **Privilege Escalation:** N/A.
- **Defense Evasion:** Use of flash loans to obscure the source of initial capital.
- **Credential Access:** N/A.
- **Discovery:** Exploitation of a configuration flaw where the AMM pool address was not excluded from deflationary rewards/burns.
- **Lateral Movement:** N/A (On-chain asset movement).
- **Collection:** High-frequency trading to trigger the `_reflectFee` and `burn` mechanisms.
- **Exfiltration:** Conversion of manipulated OLIFE tokens into 32 BNB via PancakeSwap.
- **Impact:** Total depletion of pool liquidity and 100% devaluation of the OLIFE token.
## Impact Assessment
- **Financial:** Loss of approximately 32 BNB.
- **Data Breach:** None (Financial exploit only).
- **Operational:** The OLIFE token contract and its primary liquidity pool are effectively defunct.
- **Reputational:** Significant loss of investor trust; project reported as "dropped -100%" by security firms.
## Indicators of Compromise
- **Transaction Hash:** `0xa21692ffb561767a74a4cbd1b78ad48151d710efab723b1efa5f1e0147caab0a`
- **Behavioral Indicators:** High frequency of transfers/swaps within a single block followed by a `sync()` call on a PancakeSwap Pair.
- **Impacted Asset:** OLIFE Token (BSC)
## Response Actions
- **Containment:** Monitoring of the attacker's wallet address for movement of funds.
- **Eradication:** Discussion within the security community to clarify that the issue was a configuration error (omission from denylist) rather than a flaw in the dynamic supply logic itself.
- **Recovery:** N/A.
## Lessons Learned
- **Exclusion Lists are Critical:** Deflationary tokens must explicitly exclude AMM liquidity pools from "reflection" or "burn" mechanisms to prevent secondary price manipulation.
- **Sync Risks:** The ability for external actors to trigger `sync()` on a pool after manipulating the underlying supply ratio is a significant attack vector in DeFi.
- **Configuration vs. Logic:** Security audits must focus not just on the code's logic, but on the deployment configurations (addresses added to whitelists/denylists).
## Recommendations
- **Audit Configuration Parameters:** Ensure all AMM (PancakeSwap, Uniswap) pair addresses are added to the `isExcluded` list for rewards and supply adjustments.
- **Slippage Protection:** Implement more robust slippage and price-impact checks for large trades.
- **Emergency Pause:** Implement a circuit breaker or "pause" functionality in the token contract to halt trading in the event of anomalous supply fluctuations.