Crosswise exploited for $880000 dollars due to bug in smart contract
Crosswise token was exploited on Binance Smart Chain for a total loss of 880,000 dollars for the protocol. This hacker made use of privileged function in smart contract that was exploited to set the trustedForwarder and further hijack the owner privilege of Crosswise MasterChef. This privileged function was publicly exposed.
Folks at PeckShied further added that this hack and said that the initial funds to launch the hack were withdrawn from TornadoCash and the gains too, were washed using the same service.
For those who are unaware of TornadoCash, it is a service used by people to wash the funds so that they become untraceable. That does not means TornadoCash hides the funds on blockchain – the funds are still there but simply harder to fund.
So was this really a hack? You see, Crosswise, by mistake, left a function which sets critical parameter available to _anyone_. This bug is clearly simple and easy to understand. Why not include a modifier to ensure that trusted forwarder is always equal to an address or from array of addresses specified in a constructor or contract variable.
4/4 The initial funds to launch the hack are withdrawn from @TornadoCash. The resulting gains are washed via @TornadoCash pic.twitter.com/kMvJvvckbj
— PeckShield Inc. (@peckshield) January 18, 2022
Anyway, due to this bug/mistake in smart contract, the Crosswise token came crashing down from $1.4 to $0.2 in matter of minutes.