The decentralized finance (DeFi) sector is facing a new wave of targeted exploits as the Asterix (ASTX) project becomes the latest victim of a smart contract vulnerability. On June 8, 2024, attackers successfully drained liquidity from the project's Uniswap v4 pool, leveraging a flaw identical to those seen in recent exploits against Flooring Protocol and BMP. Security experts highlight that the breach is part of a broader trend where malicious actors are actively scanning for systemic weaknesses in experimental token standards.
Mechanism of the Asterix Exploit
According to reports from blockchain security firm SlowMist, the attack on Asterix resulted in the loss of approximately 30 ETH via a series of 242 rapid transactions. The vulnerability originated from an early version of the DN404 protocol, a hybrid standard designed to combine the features of fungible and non-fungible tokens. The root cause was identified as a lack of token ID limit checks during approval operations, which allowed for a high-order NFT ID displacement.
- The attacker exploited outdated token approvals to manipulate the contract state.
- By utilizing forged IDs, the perpetrator executed a loop operation to extract tokens repeatedly.
- The funds were depleted as the attacker sold the inflated token balance for Ethereum (ETH) within the liquidity pool.
Common Vulnerabilities in Hybrid Protocols
SlowMist founder Yu Xian noted that this incident is not isolated, pointing to a pattern of "common vulnerabilities" being hunted by attackers across different implementations of 404-style protocols.
The attack Asterix suffered is similar to yesterday's Flooring Protocol and BMP (one underlying protocol is DN404, one is BT404), and the high-order NFT ID displacement operation overflows and is reused. It seems the attackers are looking for common vulnerabilities.
DN404 and BT404 are experimental standards that aim to improve NFT liquidity but often lack the rigorous auditing of established standards like ERC-20 or ERC-721. The recurrence of these issues suggests that projects utilizing these specific codebases may share the same architectural risks regarding ID overflow and reuse.
The Asterix team has confirmed that since smart contracts are immutable, the existing contract cannot be patched to fix the flaw. Consequently, the team has advised all users to cease interactions with the affected contract immediately to prevent further losses. This incident serves as a stark reminder of the inherent risks associated with early-stage blockchain protocols and the importance of comprehensive security audits before deploying capital into Uniswap v4 or other decentralized exchange pools.
Frequently Asked Questions
Quick answers to the most common questions about this topic.